Bewertung des Risikomanagements von Drittanbietern mit ISO 27001

Amanda: Hello. Hello everybody. Here are the numbers growing. It’s always so fun to see that when the numbers start growing. Hey everybody, thanks so much for joining us today. While we get set up here, I’m going to launch a poll question. I feel like if you’ve come to these, you’re so used to all these questions and we want to know if they’ve ever changed your answer. So, while you’re waiting, we love to know what’s bringing you to this new webinar today here at Prevalent. Are you doing project research? Are you here for education? You don’t know where you are. That’s fine. You’ll learn something from a British chap named Thomas Humphre, content manager here at Prevalent. Um, and maybe you’re a current customer. And if you are, thanks for joining us today. Um, we’re going to be talking about assessing thirdparty risk management with ISO 27,01. I’m Amanda. I’m your host today. And Thomas, like I said, will be here joining and he is going to be giving you all the good content about this. Couple of housekeepings. You guys, you’re all muted. We can’t see you either, but we really want you to participate. There is Q&A at the end. And there’ll be another poll question at the end, but if you have something um that you’re interested in asking, Thomas, put it into the Q&A, not the chat, because it’s a lot easier just to streamline that process through the Q&A. Um if you have any other questions, definitely put them into the chat when it’s not pertaining to the SL to the you know conversation we have today. Um but that’s about it from me. We’ll get record the recording will come tomorrow or early access today from myself. Be honest with your answers when we ask you questions because I will be following up. My counterpart Melissa and no will be following up and we want to definitely make sure that we can help you guys. So um that’s about it. So Thomas, I’m gonna let you take it away. I’ll end this poll. And let’s change the slide here. Hold on. Where? How do I Where’s the thingy? I can’t see it. We already have a chat. It’s probably not for super. Yes, some of them. We’ll get back to you on that one. Okay, let’s see here. Murray failing this, you guys. It’s not letting me. Speaker: Do you want me to try and take control Amanda or

Amanda: you know there’s usually like dots And it’s not letting me do it. Hold on here. We’re on to a great start, everybody. Hold on. Let me stop share screen for a second and re It’s like stuck on my laptop. Okay, it’s frozen on my computer. That’s probably the problem. Hold on a second. Let’s try this again. Here we go. There we go. From beginning current slideshow. It’s not letting me do it. Speaker: Do you want me to try and Amanda: Yeah. Do you want to try? It’s like, do you hear the noise? It doesn’t like me right now. I don’t know why. See, this is why I don’t do this, you guys. Yeah, it’s frozen on my desktop here. That’s off to a great start. But the one you sent me was good to go. Speaker: Well, no worries. Let me see if I can share my screen.

Amanda: Yeah, I’m not sharing anything. Technical difficulties. Please stand by, everyone. All right. While you’re waiting, did everyone enjoy Super Bowl? How about the halftime show? I mean, it brought me back. I don’t know if it brought you guys back, but it was a good time overall. Speaker: All right. I see your screen. Speaker: I can see your screen. You’re good to go. Amanda: My screen. I’m gonna go away now. If you guys need me, I’ll be here. Good luck on this.

Thomas: Thank you very much, Amanda. And yes, hello um everyone. Welcome to this webinar. My name is Thomas Humphre. I’m the content manager uh at Prevalent. Um I I build assessments and third party um surveys based on um many recognized frameworks, obviously, not at least ISO 27,0001 um and other privacy cyber security based frameworks. Obviously the purpose today is to go through the 27,0001 standard and understand how you can use it uh when going about third party risk management and focusing on some of the core controls uh that the framework um um um provides. I’ll give a high level introduction to the standard. Um hopefully it should be a fairly uh familiar standard to to many um before going into well how does third party management fit into the ISMS into 2017 000 and then focusing on some of the core aspects of the framework and um what organizations need to do and how they can approach these these key controls. And then finally ending with a what you can do now um for those starting out on third party risk management for the first time but also those who already have a program in place and hopefully find this useful and have some some some interesting insights into how it can use a standard such as 27,000. Um just briefly about myself prior to joining prevalent. I was an ISO auditor for just under 10 years working across their certification bodies in the UK and in Singapore um like many auditors starting off in ISO 90001 for quality but obviously progressing and moving on to areas such as 27,000 um as Amanda indicated obviously throughout today uh feel free to put some questions if you have any um into the Q&A window or the the chat window um and then uh obviously Hopefully with some time permitting at the end we can go through some of those Q Q&As’s to start with the introduction to the ISO 27,000 standards. This is an international standard um developed by uh ISO the international standards organization and it’s their core framework for information security. Um the crux of the framework is is about helping organizations uh sort of structure sort of governance and risk management around around information security and providing a platform for identifying and applying uh security controls.

Thomas: Um uh and as you’ll see throughout uh today’s webinar, there’s quite a series obviously controls some of which are very relevant and and directly affecting uh sort of third party or supplier management. Um it’s interesting to say this is not the first uh standard focused around 27,01. Um the actual precursor to to these was a standard called DS779. N or the British standard which is developed in 1995. So the concept of an information security management system goes some way back. This is actually developed um and and and um in accordance with um security professionals and also UK government. Um and it wasn’t until the early 2000s when uh ISO was was imposed and engaged to internationalize this and turn this into a wider framework. And the first uh the first assessment 27,01205 was released but it came off the back of the British standard 7799 um as you expect from most of these certification um uh sort of standards organizations they go through review on a periodical basis to make sure that these frameworks are relevant they remain up to date um any new technologies new and emerging threats and best practices um are they still adequate in the existing standard and in this case it was it was it was u identified that no there was a need for change and that brought us to the 2013 edition. Interestingly, there have been future reviews of this framework. Um but it has been decided since then uh that actually the 2013 version should still remain current and so there are no immediate plans to change the 2000 27,01 standard. Um it is worth noting however uh like you expect from many of these uh ISO standards is this is one within a family of standards. So although they haven’t changed 2000 27,01 u there are wider standards that have been released uh focusing on how to apply uh this this this framework to certain sectors certain industries and implementation standards of how to imply and implement uh the security controls. Um the most recent of which 27,0002 and perhaps the most uh wellknown of the standards outside of 27,0001 uh was re-released yesterday. today.

Thomas: So 27,02 2022 is is the most recent and and upto-date framework um that that brings in line um uh some newer uh topics and really addresses some of the topics. Uh it’s quite a well uh quite a a wellaccepted standard. There’s more than 40,000 certifications currently in existence in circulation across uh more than 100 100 countries. Uh so it is a global framework and a global standard. Um, and it’s interesting to note uh where these standards, these certifications are are coming in. Um, given obviously the subject matter that we’re going to go through today and and and that we know about 27,000, it’s obviously no surprise that information technology development based organizations have obviously adopted it quite widely. Um, but then there’s lots of other organizations in the healthcare sector, uh construction, um equipment manufacturing, um to name a few. where they have adopted quite openly uh and understood the need for a 27,0001 um framework. For those of you who aren’t familiar with ISO and particularly a lot of their core frameworks 9 27,000 14,000 um they’re all built around this concept of plan do check act or PDCA um which again I’ll explain how this can be applied um when when looking really third party third party management as well. So the plan phase of um identifying uh risk, identifying threats, identifying a government structure. Um then applying a a section of uh implementation. So implement implementing uh risks implementing risks implementing um security controls, policies, procedures um based on those risks. A continual checking and monitoring process. So continual reviews through internal and external means, audits, management reviews, technical reviews such as audit logging and then obviously acting on on the results of that and and this concept of continued improvement. So continually improving the security controls that are in place, the policies, refining them where appropriate and then even reviewing the risks as well um to say are they for purpose do they remain relevant to us as an organization or are new and emerging threats um coming up and areas that we need to consider.

Thomas: So the whole concept around these management systems that they should be continually evolving, continually improving process with the ultimate aim of course of maturing. So maturing the security landscape of an organization for example. So when you think about third party information security risks, well there’s obly a lot of risks out there. There’s quite a wide ranging uh uh uh sort of category of risk and type of risk. Perhaps some of the more pertinent or I guess of recent of recent um times the attacks is always worth mentioning. It is increasing the amount of malicious attacks obviously ransomware just putting out some key names out there some keywords solar winds caya DSA log 4j um to name but a few and obviously we’ve seen that this is something that that’s ever increasing um across a range of a range of industries and sectors and obviously what’s important here is to think about not only obviously to how do these uh attacks affect us but thinking about how they affect our third parties and those organizations that we’re relying on providing a critical service to us as a critical product or component for example and so being mindful of this and being able to reach out to vendors and third parties and say well how are you dealing with this this log 4j issue is a really big deal for us in our sector where you impacted how did you approach it did you apply the best practices from uh security bodies from from from manufacturers and so on and so forth U coming up to four, five years now of GDPR being in existence and obviously other local um national standards and regulations such as the California uh consumer privacy act in the United States um and adjustments that have been made to to other national data protection acts. And of course we’re seeing an increased storage collection and processing of data whether it’s uh personal data or to use a GBPR term PII sensitive data or SPI. um corporate data. The volume of data that’s being spread around um multiple uh third parties in some cases um again is is increasing the level of risk and and and increasing the level of data mapping um that’s required.

Thomas: Uh complex supply chains um so from a business continuity and disaster recovery perspective um certainly uh we are seeing in some cases that are are growing uh volume of of suppliers. We’re not just talking about obviously third party. Now we’re talking about fourth party, fifth, sixth, seventh, eighth party for some particularly complex um uh cases or complex industries. Um and of course that brings it a whole host of changes and a whole host of risks and challenges. They’re thinking about um geopolitical environmental issues and events. Uh so the need to understand continuity and contingency planning um both internally as an organization but also for your third parties and how they’re managing the supply chain where appropriate. And then of course legal and regulatory pressures uh again are ever increasing in some areas uh financial sectors uh the legal legal um uh sectors as well and we’re finding more emphasis more pressure being put on the need to have greater privacy controls greater security controls. Um and so of course if you’re in one of these sectors where there is more pressure from from law enforce enforcement or from the regulators, there’s more emphasis for you to make sure you’ve done your due diligence to engage those third parties where there could be issues that could result in financial and legal penalties and and and problems later down the line. So, this is just a few of course of many third party um security risk and risk types. Um, but it’s just extra emphasis to say that it’s it’s a good time to if you’re not already of course it’s a good time to start thinking about your wider uh uh use of your your information, your information assets and how you’re using and engaging with uh third parties and for fifth parties uh if necessary as well. So question, how does TPRM third party risk management fit into the ISMS information security management system? A term um u used to describe or to label the ISO 27,0001 standard.

Thomas: So Although by and large 27,000 has always been generated to help businesses gain certification for themselves um based on as we’ve described uh risk a clear and structured risk management approach um a set of security controls and this PDCA uh concept so continued improvement monitoring review uh design and application. Um but we can also apply it when considering in the broadest sense how do you engage discuss and review and monitor your third parties. So certainly thinking about third party risks themselves um where 27,0001 calls out in quite a lot of detail the the need to identify uh information assets the need to identify a structure of managing and calculating risk. So risk impact over risk likelihood for example this concept of confidentiality integrity and availability of information we can apply this uh by saying, well, you can use the same approach to analyze your third party risks to having a systematic approach to identify what’s critical to us and what’s critical to our information assets and those that are being um supported by managed by third parties um or where there’s an individual component that’s helping to provide the bigger picture, the bigger uh product or or end service. So using that systematic approach, the 27,01 out from from from from the beginning. We can use this to help frame how we identify and manage third party risks to provide a clear structure and approach to kicking off um um documenting um um and taking accountability and um visibility of of of risks that um would affect you. Uh there’s a catalog of 114 security controls. So in 27,01 this is called annex A. So it’s a list of controls and the concept is is once an organization has identified its risk through the uh through the the high level structure of 27,0001 there’s then a suite of controls quite wide ranging so everything from access control personnel security operational and network security business continuity um and secure development um to name but a few and the idea is that once you’ve identified the risks you can then apply the suitical control or multip controls to help manage that risk, treat it, reduce it where appropriate.

Thomas: Um, obviously the list is not exhaustive, but in a similar way, now that we’ve identified our third party risks and the risks that are going to most affect us, what controls do we need to use ourselves or ask third parties to implement that are going to address third party access or use or support to information and information assets that they have access over. Um, and so using those security controls and understanding which controls are going to be most appropriate given the type of uh access and interaction a third party has with our data our information or our information assets. And then finally with this concept of continual improvement and the CA of the PDCA cycle if you will um I’ve explained that information security management system 27,0001 already sets out clear um processes uh that can be implemented for internal and external auditing uh management reviews uh audit logging of of systems um inter incident response management and incident management recording um vulnerability and threat management. But of course these are aspects obviously you can use and organizations can use as well um to uh to engage with third parties and to make sure that there’s a level of monitoring and frequency of monitoring and on top of this of course uh the actual performance monitoring um um and and service reporting um that that can be uh requested obviously enforced through contractual arrangements with your third parties. It’s always important to mention risk at the end there. I’ve mentioned risk might mention risk a few more times today but it’s all about this continual process of saying when we’ve got a structure in place to identify the risks for our third parties of identifying what controls are needed and then as you’ll see how we apply them for from a contractual perspective, um, from a monitoring perspective, based on changes to the landscape, based on those controls, based on the the changing landscape of risk, how is our risk management system performing? Do we need to continually go back and review is it working for us? Is it working based on the type of risks we’re facing with with our with our third parties and in some cases the wider supply chain?

Thomas: So, I’ Let’s do now is go into a deeper dive uh across two core elements um that split into five controls as part of this uh catalog of 114 uh security controls. This is part of A.15 which is supplier management in in in the ISMS and we start with the information security and third party relationships um subheadings going down into information security policies. to third party relationships uh and as we see further along um looking at the contractual um agreements and arrangements as well as uh looking at managing and being aware of the supply chain. So what do we mean by defining a third party information security policy 27,000 sets some clear guidance and requirements for how policies need to be um uh identified u managed reviewed um and of course one of these is is a policy to talk about how you engage, how you manage your third parties. So what do we mean here? Well, firstly we’re looking at third party types and third party risk relation and third party relationships. So in terms of third party types, thinking about well can we break down the type of third parties based on the service they’re providing whether it’s service maintenance, whether it’s development, um application uh software development, um third parties, uh whether it’s other aspects of of um of of information uh access and assets that we we need to consider. And then the third party relationship. Well, how do we engage with these third parties? What’s the frequency with which we’re engaging them? The type of contracts that we need to set up, the level of monitoring and and service relationship that we need to build with these third parties. And once we’ve got this under control, what we’ve got once we’ve got this um understood, uh we can now then begin to look at what types of information access are requ ired by the third party. Um certainly thinking about um the sorry thinking about the type of supplier, the type of IT service, maybe a financial service type, thinking about the type of access that they mean they they may need. Um do we have third parties that we’re engaging with who may have access to our sensitive data?

Thomas: Um is there particularly our internal data, our employee data, our own customer data that they need they need to access, they need to store based on the type of service that’s supplying. And based on that, can we start to break down the level of security, the level of scrutiny and the requirements that we need to um ask of them that we need to dictate that they need to implement. And once we’ve understood the type of information access required by the third parties based on the level of service or they based on the product and service, they’re supplying identifying those minimum security requirements and controls and obviously this is where it brings back to the wider annexa selection uh found in 27,0001 um some of them will be fairly high level and you’d expect from all third parties particularly any that are dealing or handling with your any of your information assets so they the way they respond to incidents for example the way they respond to continuity and contingency um the way they access uh information assets, whether it’s when they’re coming on site to do a bit of support or maintenance work, for example, or whether it’s you are sending information over to them and they’re managing on on their site in their infrastructure. Um, and so starting to piece together um based on third party types, based on the type of information and level of access required, what are the most appropriate security controls we need to we need to press upon our third parties? And then we’ve got to this stage, you’re then looking at the monitoring requirements. And again, this may depend based on the severity of the third parties. If you’re starting to get to stage where you’re calculating or or determining tiering of of third parties, let’s say tier one, tier two, tier three for the most critical, providing a mission critical component or service. Three to one’s providing supporting services that don’t have an overriding bearing on the end product or or or um or system. We can then start to piece together well what level of monitoring do we need? Do we need monthly, quarterly or bianually or annual uh service review meetings?

Thomas: Do we need reporting in place that they provide some level of statistics and statistical reporting based on service availability, service uptime system availability uh based on change and change management as well as um those areas that all vendors may may need to provide incident response for example and then training training in two parts. So from an internal uh uh training perspective um uh making staff aware of security requirements when engaging with when engaging with third parties. Um if there some nuances or some particular controls that they need to be aware of and they need to be mindful of when engaging to ask the relevant questions. Also if there’s a need for training of the third party if there’s requirement For example, if their third parties be engaged to come on site to provide maintenance, is there some basic security and privacy awareness training you as a car require the third party to attend? And then of course confidentiality um we’ve talked about privacy and the the potential handling, storage or use of um an access to to sensitive information and of course confidentiality, non-disclosure common as you’d find in many uh third party uh contracts and agreements anyway. So these are six of the key areas that we’d ask um companies to consider when starting to develop an information security policy and policy framework. So it’s a structure to help um identify and and and consistently manage third parties. And of course from this we then move on to addressing security within supplier agreements. So capturing information security requirements in agreements um including stating minimum minimum controls both policy based, technical based. Any legal requirements from a data protection, intellectual property perspective, communications, responding and being made visible of incidents and problems, business continuity, events and threats, the right to audit and rights to audit and consideration for fourth or end parties starting to think about the wider supply chain. Do start with the minimum controls.

Thomas: Um by now we should reach a stage where we’ve already identified um those risks and we’re quite clear on the type of controls and best practices we need to be um uh confident in in in passing over to third party and it gives us the confidence um that uh our data our information is obviously being protected in the best possible way. So what do I mean by policy based control and technical control? There’s always going to be some crossover between the two. Uh generally speaking, we’re looking at uh information classification. So based on the type of data and information that that you may be passing or sending across to a vendor, a third party to look after. And the company will undoubtedly have some level of classification um in terms of how it protects the data, what rules should be in place and how the data is handled, how the data is hand is labeled for example um and how it may be even processed. Uh employee screening checks Is there going to be a requirement for you to ask uh for third parties who are accessing uh your information and or information systems to have some basic due diligence checks when they bring new employees in to work on the project? Um if if you’re outsourcing for example the key business process uh to a third party um and there are systems that are holding account level information, accounts payable uh financial information for example even employee pay information If you’re outsourcing the whole pay process where you want to be sure that the employees who are looking after that and who are helping to manage that pay process have been appropriately vetted um um where necessary and at least there’s due diligence uh that the third party can share the approaches that they’ve taken. Obviously acceptable use policies uh instant response which we’ve we we’ve covered in part and obviously privacy thinking about the uh GDPR thinking about um CCPA there’s localized frameworks or regulations in place and even if there wasn’t other basic privacy policy based controls. So, so a data privacy policy for example data privacy requirements and response management and then of course technical controls to protect the data.

Thomas: So they need to underline and and and uh identify access controls uh restrictions of access access to your information systems based on lease privilege for example. data storage uh methods of storing the data um and levels of encryption. Um if the organization has minimum requirements for um uh AES256-bit encryption for example for data in in breast um and a minimum of of of transport layer security TLS 1.2 1.3 because there are other um obviously dated uh versions that are now uh um dated and and and defunct and and and have um poor security. It may be necessary for you to insist and and try to enforce where appropriate that that same level of encryption applies when that data is being transferred um to a third party’s uh site or operations. Retention and disposal of data. What happens after a project closes down? Um are you happy for third parties to dispose of of systems holding data in a secure manner to certain security standards? Do you require that any such systems are secure? securely returned to the organization through secure couer and other means and then obviously technical controls to to to manage privacy um through uh the restriction of access um levels of encryption um and and data loss prevention as well. So there’s a whole series of controls and the idea here is we start to incorporate them as part of the agreement as part of the the contractual requirements. Obviously you’ve got legal requirements I mentioned data protection um and there may need be may need to be a method to enforce um additional protection based on GDPR requirements, based on the type of data processing, the data um use that’s being managed by a third party. Communication of course is really important starting to identify key points of contact both internally and from the third party’s perspective. So should a breach occur, should an incident occur, how are they going to respond to that? How are they going to communicate it back to yourselves as an organization? And a similar vein for uh business continuity as well. Uh obviously the right to award it is a common uh clause you find in many agreements now.

Thomas: Um it’s not always acted upon but of course if it is it gives an excellent opportunity uh to do a deeper dive into an organization appropriately ring fencing and scoping an audit but the ability to to actually review whether it’s physically or through remote assessments or through surveys um that the controls are in place and and are effective um is always a key key area to consider in in such contracts. And then of course considerations for fourth and end parties. So that visibility of we’re passing you our information assets or we there’s an agreement for you to help develop these or provide us with a a piece of development. Are you outsourcing some of those components to your own third parties? Um just bear with me. I apologize getting slightly dark. Um and so how you manage and the visibility of fourth parties and the visibility of of what levels of data um uh or or access to information systems those fourth parties have have as well. So thinking about how you capture requirements for fourth parties or at least requirements on the third party in terms of the due diligence that you would expect them to do which could include applying some of the information security controls that you’re asking your third party to adhere to as well. So then we move on to the information and communication technology supply chain itself. So being aware of how information assets are supported, used or supplied across the wider supply chain and identifying controls to monitor monitor and manage security risks associated with them. So I think there’s four key aspects we should be looking at here when trying to incorporate and consider well how do we capture supply chain in a third party agreement. So certainly one is critical components and provenence. Are we aware of the origins of a particular component? Is there appropriate traceability from the original supplier or third party through to our immediate engagement up to when it reaches us? Um have you identified the critical components that are that are generally mission critical and without these there could be an issue um that could result in a security weakness of a product, potentially loss of data, a loss of brand or reputational damage.

Thomas: And so being mindful of this and being mindful of how far down um the supply chain um we’re aware of products and services obviously information security controls. So I’ve mentioned obviously the controls that may need to enforce upon our third parties and it may be necessary to extend these to uh to the fourth and fifth and sixth parties where appropriate. as well. Uh so for example, if there’s a particular uh system I mentioned, business process outsourcing, uh let’s say your third party is is managing those processes for you. They’re managing the financials of the organization, accounts payable, um employee payments and so forth. And they themselves then engage another party to help with the maintenance of those systems. Well, the fact that those fourth parties are now engaging with your third party to help maintain those systems uh when there are issues, when there are errors, you need to be confident of the fact that those four parties have achieved the level of uh due diligence, training, awareness, maybe uh access restriction controls as well and have signed appropriate NDAs to make sure that they are uh they’ve they’re mindful of the systems um third parties mindful of the systems the fourth parties engaged with um and they’ve applied appropriate uh obviously security controls as well. Obviously, assurance plays a big part here and it’s through the performance reviews through the regular monitoring of the third party and the level of engagement that you obviously can see to gain that assurance of uh both from the provenence perspective that the the the the products the services the fourth party apply are are supplying um are fit for purpose and that they’ve applied the necessary security control and capability. Then also the type of controls uh as we’ve mentioned from that example of of of the third party providing business process outsourcing uh that those controls have also been appropriately applied. Just gaining that assurance and and validation from the third party that they’re doing the key checks that you would expect uh they perform on the fourth party. And then of course reviewing security risks.

Thomas: So when risks when threats occur um and and by understanding the four uh uh journey of the of the component um and how far and how many uh fourth, fifth, sixth parties are necessary are used to deliver the end product back. to you should then help and and should uh then be used to help review your own security risks. So going back to those third party risks we’ve established from the outset um do we need to review them? Do we need to adjust them based on knowing the complexities of the supply chain? Um is there a need to increase the risk um um based on on this level of complexity or are we com are we are we comfortable that the level of uh due diligence contingency planning business continuity um uh has been enacted has been applied and that the third party is is is managing the fourth party uh in the way that we uh expect from a security and even from a privacy perspective. Then moving on to uh the second part which is third party service delivery management and this comes from two aspects. One of the thing is one of them is the monitoring audit and review and then managing changes. So when you think about monitoring the audit and review so validating the information security terms and conditions are being met and we can achieve this in three ways. So one of them is to conduct a regular monitoring review of the third party the performance reviews the service reports. Secondly through the use of the rights to audit clause where applicable. And then finally, receiving timely communications relating to incident response and problem management. Um, again, where where necessary. So, going back to the top here, conducting regular monitoring reviews. I’ve already explained from a 27,000 perspective. Uh, there are lots of different reviews and management reviews that could be conducted if if you’re looking at this internally. And of course, there are there are service reviews, performance reviews that can be taken. Um, with the third parties. Frequency of which of course depends on the criticality of that relationship, the criticality of the third party. Um it’s not uncommon to see monthly performance reviews of third parties.

Thomas: Nor is it uncommon to see quarterly and half yearly if if obviously the performance is is very strong if the relationship is very strong or if the severity of the risk or criticality of that third party is such that it only wants a half yearly or even annual um performance review. But thinking about out the type of controls that we’ve applied at the contractual stage um and and helping to build that into service reports uh that that you may request receive. And this could be anything from um uh reports and statistics on vulnerabilities, changes, even changes to suppliers and the supplier management controls that we’re after to the third party supplier or the fourth party um as described. So starting to think about what type of statist Do we need to be assured that those security controls that we’ve asked the third party to apply, access controls, uh incident controls, uh information classification controls, whatever it may be, uh how can we be sure that those controls are being met? And it’s through these regular performance reviews, these these these updates um and potentially even through service level um agreements um objectives uh you know, SLAs and targets that we can help to measure these um based on you know the frequency um and and obviously complexity of these controls. The right to audit I mentioned as say it’s it’s is common to see that. Um and when we talk about the right toward it um obviously it’s important particularly nowadays to look at this doesn’t just mean physically turning up at at a at a third party site and conducting a full a full-blown assessment. You know the trick here and then the importance here is to obviously understand and to ring fence and to and disc scope it correctly. And so it’s clear that if you enact a right to audit, it’s an audit against these functions, these processes, these controls, um to make sure that if if you’re handing over key information assets, um which could be obviously hardware, software, data, whatever the case may be. Uh that that you want to to enact your right to audit to verify that those systems are are are being secure in the manner in which you’ve agreed with the third party.

Thomas: And then timely communications relating to instant response and problem management. So communication I say is very important um particularly uh the the timeliness of it um not least where instance threats vulnerabilities do occur and this can be both threats that directly impact an information system for example that’s being managed by a third party but even ones that in indirectly um uh impact see have an immediate impact um that’s that’s felt right away. But there may be other systems that have have suffered um some form of breach or some form of targeted attack for example. Um and so it’s enough for you to warrant a further investigation, a further discussion with a third party to say what action plans you putting in place, what is your response process, um how you dealing with it from a problem management perspective. And so there’s lots of different approaches and techniques to take in terms of monitoring audit review. Obviously, it’s important to to to identify these and to capture these as part of the uh third party agreements and contracts. Uh then we move on to managing changes to third party services. Uh so setting changes to third parties and the impact of business information systems and processes. So again three areas should be considered. Organizational change, changes to service provision, an agreement changes. I’ll start at the bottom. That’s that’s that’s uh I guess I guess more more clear. Um obviously there’s always going to be a need to review formally review uh contractual agreements particularly when processes change, systems change, if there’s a need to expand service delivery to reduce service delivery and having that formal um process of of of working with a third party and and and understanding how these changes impact um both uh uh yourself and and and themselves as well. And obviously the risks that may incur, the increase or reduction of risk in some cases based on how an agreement is is being changed or adjusted from an organizational change perspective. Then so back to the organizational change, uh new system development, modification to policies, new controls.

Thomas: So if the organization, the third party you engaged with um are updating their security policies, privacy policies, example may be employee recruitment policies, anything that may have an impact or they’re applying new controls. They’ve enhanced some security controls and they’ve got a a stronger authentication system for example um or or or they’re strengthening um other controls um based on replacement of of of age system for example. Of course, these are all positive changes and that should hopefully obviously benefit yourselves as an organization. So being mindful and being made aware of such changes can help to understand and and and uh reduce some of the risk that you’ve initially applied to the third party. Um and in a similar in a similar vein changes to service provisions the adoption of new products or newer versions and releases of systems. So third parties if they’ve made the decision to improve for example uh systems to to capture information um related to incidents and change management that may be a positive thing. It means you may then be be subject to greater levels of detail when changes occur. Should an incident occur, there may be a greater depth of knowledge uh that’s captured as part of these enhanced uh uh products or or updated versions. But then there’s other critical areas to consider as well. Changing location of service facilities for example. So if you have engaged with the third party to um to handle some of your information or information assets and the initial agreement was um that these would be held in a particular geography. Certainly thinking about data privacy for example and let’s say GDPR from a European perspective if the third party now requests or is now is now proposing a removal from that facility to a different facility well that can obviously have a massive impact to the organization.

Thomas: Um again positively or negatively depending on the type of uh facility move or location move and so being made aware of this in a in a timely manner is is absolutely critical particularly if it means a review of security controls or privacy based controls uh if if they’re moving it um moving geographies um or or moving moving locations and of course change to suppliers as well as say the supply chain is is is ever increasing and and there’s some sectors where it is increasing to the fourth fifth sixth sort of seventh um uh degrees and so of course if if your third party changes supplies and they add a new supply help better deliver a service to provide a more structured service for example or or because there’s there’s been an incident something that’s affected one of their suppliers down the chain and they would like to move and change suppliers. Uh if this obviously affects you directly or indirectly then obviously critical that the the organization is made aware of this and has appropriate time to consider this to review it to engage the third party to understand the risk the complexity and of course challenge it as well. Um particular if it’s something that’s going to great impact the information system systems or solutions or information assets that the third part is using. So at this stage we do a quick review. We’ve looked at widely speaking how the ISMS ISO 27,0001 can be used uh to help um identify third party third party risk and apply and identify appropriate control through it. risk clearly crafted risk management process its use of annexa 114 controls um and then of course the processes that you need to do to uh capture those information security requirements from a contractual perspective and then have the process of continual monitoring continual review uh managing and reviewing and monitoring changes and being aware of um the wider supply chain. So what do we need to do now? If you’re just starting out on this process, the first step really is to start to identify your third parties.

Thomas: Start to identify and and and tear and even profile your third parties based on the criticality to the business, based on the type of information assets they’re they’re using, they’re accessing, they’re being given access to. So starting to adopt a rating for third parties based on the criticality. So high, medium, lows, red, amber, greens, tier ones, tier 2s, tier 3es, whatever the case may be. ing can help you structure your third parties and to say these are most critical and these are are mission critical to our end product and service delivery or our end customer. Um and these are are critical for us but are not going to give um us too much concern from a risk perspective and then obviously profile the third parties to help deliver that as well to help identify the tal category. So type of service being provided, type of data being handled, um geographic location, whatever it may be enough to get to paint you a picture of what that third party does and and what suppliers and fourth parties that they’re engaged with as well. And obviously once we’ve got this under our under our belt, we can then start to develop this risk assessment process. So as I said uh the strength of 27,0001 with the clearly defined risk approach. Um to identify and manage risks um so certainly starting with identifying those third party access or support of your information assets. What information assets do you have as a business and which ones are being being used, managed, supported uh by third parties. Identifying risk calculation, so the impact over likelihood plus CIA, confidentiality, integrity and availability. That’s confidentiality of information, integrity of information, and availability of information. So thinking about the risk of a loss of CIA or have when thinking about creating and and calculating your risk um uh your risk uh framework. And then finally, Identifying a method of recording the risk. Do you record risk through strength, through spreadsheets, through platforms, through a blend of both? Uh which approach are you taking? Um to to make sure you you stay on top of um uh and allows you to continually update and review your risks. Thirdly, obviously conducting the third party risk assessment itself.

Thomas: So identifying third party access to the assets, identifying the threats and ability. So, right at the right at the front, uh the cyber security risks, business continuity risks, geopolitical risks, um uh environmental privacy risks, whatever the case may be. Identify those threats and vulnerabilities most critical to the organization and how they’ll be affected by uh the third parties. So, how how you’ll be affected by uh by by by your third parties. Obviously, the likelihood of occurrence of those of those threats and vulnerabilities. and then identifying and selecting those controls. Again mentioning that obviously the 27,000 is not exhaustive but the 114 114 controls that that does uh include from access to operational network security and so forth does provide a good back uh backdrop or backbone to start to build up a collection of controls that most appropriate and that you need to enforce upon your third parties. And then Finally, creating and obviously and executing a plan to address the risks. So, developing that third party information security policy, underlining control factors, security controls, privacy controls within third party agreements and contracts and and incorporating supply chain requirements where appropriate. And then finally, obviously, checking and acting. So, the PDCA side, the check and the act on your third parties. So, the continual monitoring review, performance review, setting targets and SLA Um and and the continuous improvement through reviewing the risks, through reviewing um new risks, new and emerging areas that you need to uh maybe enhance um and bringing in new controls to deal with them um obviously based on the third party engagement based on the type of um information assets that they’re managing for you. Um I’m going to pause there for now. Um I believe that a few more uh uh sections that um my colleague Scott may be covering. Um so at this stage I’ll hand back to yourself, Amanda.

Amanda: Yep. Scott‘s going to take over. Thomas, if you want to um skip through a couple of slides to let’s see here. Scott: Yeah, let’s Yeah, let’s go right to the checklist slides. Scott: Checklist would be great. There you go. That’s it. That’s all I wanted to share. Uh just a quick note to kind of draft off of what Thomas has talked about in terms of best practices and setting up your framework and kind of unifying your questioning structures. Uh you know, prevalent’s platform capabilities help you to assess your vendors based on these standards in a way that unifies the intelligence and help you kind of very quickly clarify what those control deficiencies are and what you need to do to fix them. From there, to give you a head start, we published something called the ISO and thirdparty risk management checklist. It runs through the requirements that the third party and supplier risk management requirements as they apply to the ISMS. Uh and then define specific um capabilities you need to look for in a solution and then you know maps prevalent into those requirements as well. Uh you know we’ll follow up with a link for you to download the paper on your own but we provided it here uh if you can type really fast. Um and you know this is a great asset for you to kind of map against your existing uh ISO requirements and practices and what and what best practices look like from a from a thirdparty perspective. So, you know, that’s the only commercial I wanted to offer. I s see a ton of questions come through and they’re all great ones. So, I’m going to stop talking and flip it back over to the expert,

Amanda: which is not me, but I’m going to ask. Okay, you guys. Uh I know we’re we’re pressed for time here. I just threw up a poll question. It’s self-explanatory. I won’t even read it. You guys see it there. Let’s get to some Q&A right away. I’m going to go as fast as I can here from the top of the Q&A. If you put in the chat, I’m sorry I can I cannot scroll through right now. It’s so much. But okay, first one is why have certain sectors such as healthcare been more uh receptive to applying 27,01? Thomas: That’s that’s a really good question. It’s it’s um it’s it’s it’s one that we we we try and stay on top of. Um you know, which which sectors are are more interested than others. Um I think given um some of the certainly from the UK there have been um some some malicious attacks um over the past uh well several years that have certainly impacted um um some some healthare systems and healthcare organizations um and and sometimes that’s that’s all it needs the driver to for for regulatory bodies to say we need to start implementing a platform 27,000 given how global it is how recognized it is um as a best practice standard um sometimes that’s all it needs to help drive that. Um typically where where an in a industry uh adopts it, it’s it’s coming from either pressure um from uh industry leaders um or from regulators. Um that that tends to be where we find more. There’s always a few surprises in there. Um I think I mentioned um uh the construction industry. They have just a couple of 300 certific ifications I believe currently um and and and some of the manufacturing industries have between 3 to 400 uh certifications and this is obviously on a global scale of course it’s higher to point out um yes

Amanda: okay perfect so the next one is are the 114 control ranked by importance Thomas: they’re not no so the concept is um these 114 controls I say split across uh quite a wide variety of of of subjects and subject matters. Um I mentioned you know access control and and and um uh system development but no they’re not they’re not prioritized in that sense. So the purpose is uh when an organization conducts a risk assessment through 27,01 once you know the risks and particularly once you know the risk to the CIA confidentiality integrity and availability. Uh so the theory goes um on once you know that for example uh the risk is greatest against a loss of confidentiality of data. For example, you can then work out through the 140 controls which the best controls you should be applying to help to reduce the risk of a loss of confidentiality of data. Um but no, they’re definitely not um prioritized. It very much depends on on the type of business, the industry you’re in um and obviously the size and complexity of the business as well.

Amanda: Okay, next question is if a risk is already mitigated by a control, what do you do with it? Not including as part of risk assessment or classify it as low residual risk or is that not a risk to begin with? Thomas: Can you repeat the question Amanda? Amanda: If a risk is already mitigated by a control, what do you do with it? So there Thomas: the risk is already mitigated. So if if you’ve identified a risk and um you know that there are are mitigations, there are there are controls policies procedures whatever it may be training in place that has helped to to lower the risk to such a degree that that you can safely say we’ve mitigated. Um it could be simple enough to just maintain visibility of that risk, but you may need to not do anything further with it. You may need to address it and come back to it, of course, if something changes that warrants where where there’s there’s a chance that risk could then increase. So, for example, if the original controls that were applied uh when you believed you mitigated that risk has changed, they’ve been reduced or if that risk itself has become enhanced through new and emerging threats that are coming up. Um and so and this is why it’s so important to do the the continual review of risks um um to make sure that the risks you’ve initially identified and and um hopefully have been mitigated or treated um have remained so. And if they haven’t and if they have increased, we can then review again. and say well what additional controls or which additional actions can we take or should we take to bring this back down to a level as a business that we are comfortable with. So I’m going at random here for everybody. Um another question is are there samples are are there sample right to audit clauses that one can incorporate in an agreement? Would a cloud service provider be penalized?

Thomas: Um cloud service provider be penalized uh That’s that’s an interesting one. Um they’ll be penalized. I mean it all comes back I guess in part to the the legal aspect of contracts. Um that is that is an interesting area that we that we do find a lot if you’re talking about some of these very large multinational companies um to say you know we’d like to audit you and and and a typical response could be no we we that we do not entertain um audits. I guess partly because if they allowed one, they’ll allow everyone to potentially audit. And what we typically see there is they say, “However, we are multi-certified. We have 27,0001. We have 22 fair ones to business continuity. We have sock uh assessments and we can provide you with a lot of these um um uh certifications that we have across all our data centers for example or our critical infrastructure. Um if you cannot apply the right toward obviously there are other methods uh there should be other other ways to still review um the security controls that are in place particularly some of those organizations um that say we are 27,000 certified for example we are sock certified um we have 22301 for business continuity um there there is other information you can find out to give comfort to yourself that they do have sufficient control capability in place um and and and that may be enough but yes the right toward that say can can be It can be a contentious issue sometimes, but if you do have the ability to put it in place to say um based on our based on our agreement with you, based on the level of service you’re providing, um we we’d like to seek uh we you know we require an assessment um of your controls that we’ve agreed that you’ll apply as say and what’s interesting here is it doesn’t it may traditionally have meant a physical on-site audit as you would like an ISO auditor coming on site but nowadays it could be um a remote review. Um, it could be another review that’s counted as an audit.

Amanda: Yeah. Well, thank you so much, Thomas. Unfortunately, that is all we have time for. We’re already a few minutes over, but if your question was not answered, please reach out to us at [email protected]. We’ll make sure to get those answered for you, but we really do appreciate all of your time and those who stayed a little extra. So many questions. I wish we had more time for it, but definitely for those that are interested in knowing those answers, please reach out to us and and we will get those questions answered for you. Thank you to Scott as well. Thomas, always a pleasure to see you and I hope to see you all in the next one. Thank you all for your time today. Bye.

Thomas: Thank you.