February 25, 2016

Last Updated on January 18, 2024

In a recent gap assessment with a client, the topic of “what’s missing” in their supplier agreements came up. For many organizations, such agreements are considered sufficient if they adequately specify terms of service, vendor and supplier responsibilities and the scope of monitoring activities—in short, the basics that ensure you’re getting what you think you’re getting.
But what about information security concerns? Proprietary and confidential information is the most valuable commodity that many organizations, and vendor relationships frequently introduce risk to that information.
Thanks to an ever-growing of high-profile breaches involving vendors, it’s well known that vendor risk management (VRM) programs must include information security risks and responsibilities. But I still see quite a few supplier agreements that don’t explicitly address information security.
Every business, therefore, needs to identify the information security risks that suppliers and other third parties pose, and implement controls to mitigate those risks. ISO 27001 Annex A specifies the following controls in relation to suppliers:

Annex A Reference Control
A.15.1.1 Information Security Policy for supplier relationships
A.15.1.2 Addressing security within supplier agreements
A.15.2.1 Monitoring and review of supplier services
A.15.2.2 Managing changes to supplier services

Before you storm your provider’s office demanding a new agreement, let’s take a minute to explain the Annex A controls so you can better arm yourself.
Annex 15.1.1 Information Security Policy for supplier relationships
Establishing a general baseline policy for such agreements that addresses information security will help reduce risk without hampering your negotiations with suppliers. This policy should cover requirements around how to mitigate risks associated with supplier access to/interaction with your organization’s information assets.
Annex 15.1.2 – Addressing security within supplier agreements
Educate your supplier on your requirements by included them in development of the information security aspects of the agreement, or at least pointing these aspects out explicitly so they’re well aware of their accountability and its ramifications.
Annex 15.2.1 Monitoring and review of supplier services
Continuous monitoring, review and audit of supplier service delivery, including information security protections, can be critical. Ensure that the suppliers are in scope when performing internal audits.
Annex 15.2.2 – Managing changes to supplier services
When changes occur with a vendor relationship or related activities, you need to evaluate whether information security is impacted. The periodic reviews you regularly conduct may be sufficient to address this.
To get expert help with identifying gaps in your information security posture, including unmitigated risks posed by your vendor/supplier relationships, contact Pivot Point Security.
For more information:

TPRM for SMBs guide

Through our 17 years of experience, we've collected these 5 fast-track best practices for implementing a vendor risk management program as a small- to medium-size busiess (SMB).
Download our free TPRM PDF guide now!