ISO-Normen und Risikomanagement für Dritte: Pro und Kontra

Ashley: Hello and welcome everybody. We are stoked to have you all. Uh I’m going to give you guys all a minute while we wait for everyone to get situated and dialed in. But in the meantime, I’m going to go ahead and launch our first poll. We’re just curious to see what’s bringing you to today’s webinar. Is it educational? Are you in the beginning stages of your third party risk management program? A current prevalent customer? Are you lost? Let us know. Can’t forget about some introductions here. My name is Ashley and I work in business development here at Prevalent and we are joined with three very special guests. Uh our very own project director Joe Toli. Hey Joe. Joe: Hi everyone. Pleasure to uh meet you all today. Ashley: Our very own content manager Thomas Humphre. How’s it going Thomas? Thomas: Afternoon. Good morning. All good. Ashley: And our very own VP of product marketing Scott Lang. Hey Scott. Scott: Hey Ashley. Uh and just a quick reminder, this webinar is being recorded and we will be sending out the recording along with the presentation slides shortly after the webinar. Uh you’re all currently muted, but we do love to see participation, so please put any questions in our Q&A box so we can go over them at the end of the webinar. Today, Thomas and Joe are going to be exploring the pros and cons of using ISO standards in your TPRM program. So, gentlemen, I’ll pitch things over to you. Thomas: Fantastic. Thank you, Ashley. And yes, hello everyone. Um very good morning, afternoon and evening forever where wherever you are calling from. Um and today yes we’ll be sharing with you um some tips and overall thoughts around pros and cons of using ISO standards specifically obviously the ISO uh security standards uh in your TPRM program. Um I think we’ve already covered some of the housekeeping and um hopefully we should have time obviously at the end uh for Q&A as always. Um that as as Ashley has indicated um please obviously keep them coming throughout throughout the presentation and in the relevant uh QA section. A very brief introduction to both of myself and Joe. So uh I am the content manager. Um I’ve been with Prevalent for just over five years now. Um and working heavily in developing um assessments frameworks based on the likes of ISO standards, NIST standards um and other regulations and law. pertaining to information security and I’m joined by my colleague Joe. Joe: Hi, pleasure to meet you all today. I’m Joe Tolley, the project direct director at Prevalent. I spend a lot of time working with clients to get their programs stood up and live and uh as efficient as possible. Um, often seeing clients use a number of different standards or, you know, assessment types or question sets within their program. So, looking forward today to actually learning something from Thomas Humphre uh about ISO 27. 36. So looking forward to the session. Thomas: So thank you Joe. Let’s um dive right into the agenda. So we’ll start with having a get to know the ISO security standards overall before starting to sort of tease in the third party element, third party risk management element and where it sits um within those ISO standards. We then take a wider look at how we can map TPM practices across the 27,0001 and bringing in some of those other standards that Joe alludes to such as 27,036. We’ll then look at overall thinking about some of the pros, some of the cons of using these ISO security standards. Um whether you’re a obviously just starting out in your TPM program or um uh this is this is an existing exercise and you’re looking maybe to switch standards and and need to give some thought to to to what ISO means for you. And then as always, an overall sum and some of the key takeaways, some of the key lessons learned and key points we’d like to consider um the next time we’re back in our office or or or just starting that discussion um around our third party program. So we start with getting to know the ISO standards. So as you know the demand for third party services is ever increasing um particularly over the last 12 to 18 months. Uh there’s a continued reliance on different services, different products, some specialist services um and products or outsourcing critical business components. Um perhaps more importantly, however, we’re seeing a growing threat um across not only software but across the supply chain um overall. Um we have to look at what’s happening in the past few weeks and months with the likes of the Move It vulnerability and other vulnerabilities, ransomware and fishing attacks over the past couple of years. And what’s been interesting there is not only has it targeted um prominent and notable applications and solutions, but the fact that it’s hit supply chains across different parts of the process, different parts of the end-to-end life cycle. And of course with more and more uh third parties or suppliers and the the increase in that landscape means an increase or potential to increase distribution of product, service and support particularly across multiple geographies and again bringing its own set of risks when you’re dealing with companies across across the world. Um particularly in areas of particularly um sort of sensitive nature whether it’s environmental risks, geopolitical risks and so on and so forth. It’s also obvious it’s important to to build a a a strong core through your your your third party management process and it requires maintaining control of those third parties through strategic thinking. Um those of you who amiliar with um PDCA. Um this is a common um uh acronym that’s used by ISU ISO sorry and means plan, do, check, act. And this is something that we always need to think about um particularly when engaging with um any ISO standard but not least 27,000 or the 27,000 series of standards. And it’s taking across this concept of with careful planning, careful governance and the governance approach. So setting right from the top um objectives, targets, roles, and scene setting will then help enable us to to do to take action to identify risk and controls and plans to address risk. And that continual process of always checking what we’re doing. Um are we do what you do, say what you do, and please show us? Making sure that whatever we’re doing is constantly checked, constantly reviewed. Um and then obviously acting on it as well, having a process, having a governance approach. to making sure that where risk is identified, where there are concerns across, in this case, the third party landscape, we’re taking appropriate action to make sure those risks are minimized um um in in in in the best way possible. So, we started getting to know these ISO security standards. So, ISO the international standards organization uh 27,0001 is the international standard on information security. It’s one of the older uh standards across ISO’s um sort of set of of of recognized frameworks and ultimately it’s it’s a framework that sets the scene around providing security risk um and and a very well- definfined risk structure or risk approach and then building controls around that to protect what ISO calls the confidentiality, integrity and availability of information and information assets. Um it’s the only certifiable standard across the family. Um it’s important just to understand what this means when I say family. So it’s very common for ISO to build a certifiable standard, the one that uh independent auditors can assess organizations against, provide certification against, but more often than not, you then see a series of other standards that can help complement that initial certified standard. So in this case, we have two more 27,000 2 that takes the controls of 27,01 but provides very clear and very detailed implementation guidelines on how you address these controls, how you implement them, key considerations. There’s another perhaps more newer, more recent uh framework called 27,036 which is a supply relationship standard and this is still under the banner of 27,000 families and still under the banner of information security. This is a unique standard that it focuses purely on the supply chain life cycle. Um from initial acquisition of a supplier all the way through to the end and exit agreements and and and completion of uh contracts and agreements with the supplier and all the necessary and person aspects from A to Z. Joe: And Tom, a few questions from me on um 2017 specifically is Is this a a newer standard that’s been introduced? Um, obviously supplier relationship management is uh is more of an important and critical thing nowadays. I’m just wondering if this is a new standard or something that’s recently been developed. Thomas: So, it’s been around a few years. Um, I believe the initial uh 27,06 uh it was around the 2013 2014. So, not as long as 27,01 or its um uh originator the British standard 7799. These are frameworks that have been around for many many years um I think just over 20 years now so 36 is very much newer concept um but um given the timeline I think it’s quite um uh well yes it’s quite timely that ISO have brought this out given the uh everinccreasing interest and focus around um supply chain risk management in the wider life cycle um and it and it’s it’s an interesting framework because as I say it’s specific to supply relationship it actually mirrors um some other similar framework such as NIST uh 800161 around cyber security supply chain risk management. Um and so it really provides that good implementation and guidance around how to set up and and and engage with your suppliers from acquisition through to contract. Joe: Yeah. So it sounds like there’s some really good value with um with that particular standard in developing your own internal supplier relationship program. Um and we commonly see our clients and organizations assess their suppliers against the 27,01 standard um against the annexa 8 controls. Is there value in just leveraging 27,036 for developing your own program or is there also some uh value in leveraging some of the content from that standard in assessing suppliers so that we can make sure that they’re managing suppliers correctly? Pretty much taking a a bit of management of that fourth party question, you know, how are our suppliers managing their own third parties. Thomas: Yes. Um yeah, it’s a very good question. It’s um I guess technically you could use it for both. Um so 27,0006 what’s interesting about it is um personally I’d say a good starting point is for your own internal use because it really helps set the scene around acquisition strategy for example um building that strategic approach and working out you know how do we build contracts but at the same time yes thinking about your own third party engagement and how they if they’re dealing with critical suppliers dealing with critical um or accessing say critical security components or or or systems or information um certainly there is benefit to looking at well how is that third party for example shaping their own contracts with their third parties your fourth parties and so forth so it does have application both ways um I think personally though I think there’s a lot more strength um implementing internally um as an organization Joe: Thanks Tom. Thomas: Yes 7,0001’s always provided um requirements level requirements for identifying and managing uh security within third parties and the wider supply chain. Now um it’s probably worth mentioning um very recently within the last eight months I guess now um 27,000 went for an update. Um it’s the first time since 2013. So a new 27 2001 2022 standard has come out. Um and these four areas have remained um they have been enhanced um and we can see that through the use of 27,02 but the purpose of these areas within 27,0001 remains. So the idea about the need to identify information security when dealing with suppliers and the wider supplier relationship working out what information security controls and requirements uh need to be included within an agreement. within a contract. So when you’re first setting up a contract with a third party or supplier, um looking at how security is developed across the wide supply chain. So not your immediate um organization but the wider sort of fourth and 10th parties where appropriate and that continual process to monitor, review um address address changes in a supplier service. So when a new service comes up um that process to say well how does that affect us as a business? So these four areas have remained since the 2013 version, they still remain in the 2022 version. Um, it’s important to obviously recognize that it’s not just these four areas, but there are other aspects of the framework of the of the standard that touch on the needs for supply uh for suppliers or or or the use of a supply chain. Um, for example, in system development, if you outsource development, yet the requirement for outsourcing um development activity still remains or the use of outsourced uh maintenance um um of of say hardware and systems. So that still remains but this focus is very much on dealing with the supply chain um and the supplier relationship level. Um and as I say with 27,0002 um the purpose is very much to take those four aspects and enhance them. So so what do we mean by a supplier agreement and considerations for information security for example? Joe: Yeah I take it Tom. Um so here we have have on on the screen the ISO 27,01 sort of areas that are that are managed relating to supplier management. Um and then the 36 version does it cover the same areas? I’m just wondering if we could clarify the sort of value that one offers over another uh when looking at these sort of areas that exist in both. Thomas: AB absolutely yes. So um to repeat from the beginning um it’s important to recognize that 27,1 is is the only certifiable standards. That’s the standard that say an independent auditor certification body will be looking at um if they’re going out and assessing an organization. So focusing very much on the requirement from 27,0001. Um as you expect from a certification standard, it can be very prescriptive. So a lot of should statements. So organizations should um uh develop or identify security in a relationship. They should um develop practices to monitor, review and address change. 36 also has should statements but it’s it’s very much a wider bore brush almost like a checklist in many ways. It’s it’s it’s looking at guidance in terms of let’s look at supply agreement in more detail. These are all the considerations. Obviously yes there is a lot of close collaboration as you’d expect the fact that they’re all part of the same family. Um but um I guess the best way to think about it is standards like 36 and there are many other families of standards that touch on sector specific controls and uh technological controls as well. They can be seen as enhancements. So they can take a 27,000 control and they can enhance it through extra considerations or extra thought um um to sort of grow or perhaps mature um a 27,0001 control. Joe: Yeah. So 27,0001 has the more sort of binary approach to controls. The control requirements are they met? And then 36 offers more guidance and considerations about the program. Does that sound correct? Thomas: Yes, absolutely. Um, and this is where we could start to see there can be a good benefit to particularly well regardless of whether you’re going for certification or not, but using a certification standard, but then adapting or or building on it with these best practice guidance, whether it’s to grow industry specific security controls or um topic specific such as supply chain um and supply relationships. Thomas: Brilliant. So, So when taken with the wide set of security standards, we can see a lot of similarity and depth to enhance how we approach third party risk in a similar vein to what we’ve just been discussing. So we’ve got these three standards uh double2 and 36. Um certainly easier to say than 27,000 each time. So as explained, you’ve got four core controls that are specific to supplier information security um in 27,01. Um beyond that, are 89 additional controls. It’s actually a reduction since the uh uh uh 2013 standard. And these are controls that fit across the wider range of security matters. So from access control to personnel security, business continuity, so on and so forth. And underpinning 27,01 of the controls is this very well- definfined um and thorough risk management framework and there that I’ll touch on in a short while. Tren 7,0002 t those same uh uh controls formerly they are called annexa controls so these 93 um um security controls and it provides enhanced guidance on how they’re to be implemented. Um so for example um where a control in 2701 says an access management policy or an access control policy should be developed 2702 will expand that and say these are the areas that you should consider putting into your access control policy. So it gives again in a similar vein to 36 it gives a wider sort of uh guidance on how you can implement each individual control and then finally in 36 so follows again a similar process to 800161 if anyone’s familiar with that NIST framework which is supply chain cyber security supply chain risk management and it’s that methodical approach for the end to end life cycle process from acquisition of supplier profiling and tiering suppliers through to building a contract identifying controls. So it’s that very methodical approach to working out what requirements should we have or should we consider when we’re going through that process. Um so it leans obviously again very heavily on on 27,000 best practice or or or requirements but takes that wider approach on the supply chain program. Joe: Yeah. So for organizations that currently align or are certified to 27,0001 Thomas: Yes. Joe: that doesn’t provide assurance that all of the considerations from 36 are covered. These are there is going to be some overlap, but there’s going to be more information and more guidance and consideration advice uh within 36. So, it sounds to me like there’s going to be some some huge value in organizations actually using 36 as more of a standalone exercise to review those considerations, you know, aside from 27,0001 completely just to see whether they have incorporated some of those points in the program and if not they can start to leverage it to pl to create some plan of action some objectives for the program um set some success criteria over next quarter to start working towards you know ticking some of these considerations off Thomas: absolutely I mean I think I used the term checklist earlier on you can imagine as a business if if you’re looking at following a consistent framework um to take uh 36 and use it as say it’s not certifiable but certainly as as s of self um sort of attestation almost to use that as that checklist piece to say well we need to develop third party contracts. We need to build security in there. We’re not too sure where to start. Here’s a very detailed approach on these are the areas you should be considering um um when developing a contract or when building in security consideration within a third party contract. So absolutely yes in terms of indep internal um say of self attistation and and and um of improvement of your process. And I that’s the other thing to take as well. It could be used not just for a company that’s never done this before in supply chain management, but anyone who’s who’s already got an existing program. Um like any of these standards, it could still be useful to explore and understand are there’s best practices, are there tricks that we’re missing? Joe: yeah. Joe: Yeah. And I’m assuming um as this standard is updated as well, this isn’t a a oneanddone type exercise where you check alignment, check the considerations off. It’s going to change based on updates to the standard, but also updates to your approach internally. If you’re dealing with new suppliers or more critical suppliers than you were last year, there’s going to be different ways of approaching those and and adjusting your, you know, internal processes to to suit that as well. Thomas: Absolutely. And and yes, you sort of hit the nail on the head there. Um, like any standard ISO, regularly review them. Um, they don’t always come out on a yearly basis, but yes, they do regularly update them. to make sure they’re they’re still fit for purpose. And and in that context, yes, you can imagine if you’re starting to develop new business lines, for example, uh new product um or services um then there’s a lot of value in saying, well, this is new to us as an organization. Let’s go back and make sure that what we’re doing for other um sort of service lines still marries up to what we’re doing with this new service line. Joe: Yeah. And I’m sure there’s going to be lessons learned each year you review these as well. You know, did the contract um pro vent you from being able to conduct an audit when you needed to or be able to communicate to the supplier as and when you needed to or within a particular time scale for example. Um yeah, I can see this as a continuous evolutionary process to uh make sure some of these processes are up to date and you know efficient as well. Thomas: Absolutely. Continued improvement is the way to go. Joe, Joe: it’s favorite terminology amongst ISO and and ISO waterers as well. Joe: Yeah, you’ve already taught me a new analogy from your starting slides which I’ve noted down. Enjoy. Thomas: Fantastic. Thomas: So let’s think ahead more around general mapping tar and practices and sort of how it can fit into 27,0001 and 27,06 and for that matter 27,0002 controls as well. So using requirements from 01 36 and 02 can shape how we address a broader topic of TPRM. So if you think about from the top level. If we’re just starting out looking at all how do you go about identifying suppliers? How about go about identifying what type of suppliers we need and what they fit into in terms you know profiling and tiering criticality of supply based on product and service. And this is an example in 27,036 through two controls on the right hand side. 611 the acquisition process 612 the supply process. And these areas that talk about the overall supplier selection criteria and developing a framework, developing a strategy in terms of who takes ownership, who’s managing the the overall supplier selection. Um is there a formal go sort of yes or no um process and what areas do you need to consider when looking at brand new suppliers? Um it’s also helped set the start for defining how do we go about um uh defining security requirements? What considerations do we need? um from the get- go. So, we can see where 36 perhaps more so than 27,01 can really drive into a bit more detail around again those checks and balances around um do we need to consider these areas. Do we need to look at um risk in this manner right from the start when when when acquiring a third party? But as well as perhaps some questions we might be asking um if we’re looking at the concept of profiling and tiering or categorizing third parties as well. Um, and what’s interesting about 36, um, is I say it still has those control numbers. Um, so from a guidance standpoint, this is where it can still be very valuable for an organization where you could take 36 in isolation regardless of whether you’re certified to 27,000 or not and use it to sort of selfassess and and provide that that sort of checklist um, for validation approach. Have you considered all of these steps in acquisition or the supply chain or or or supply review? process. Joe: Yeah. And um one thing I’ve uh sort of discovered from working with clients is this is often one of the the downfalls of programs is this onboarding process. You know, it not being fit for purpose or not collecting the right attributes about a vendor that can help further along down the line when it comes to the type of assessments that are required, the remediation process. Um so I’m wondering here whether this is more sort of a a process um exercise of making sure that we have reviewed the types of things we ask a point of on boarding or whether it goes to the real specifics of attributes that determine that a vendor is a tier one. You know where’s that line that this standard stops and there’s actually requirements for sort of internal exercises to make some some decisions on the the specifics. Thomas: Yes. Yes. Interesting question. So 36 it’s say it’s it’s firstly it should already be taken is a guidance standard. Um so it will not always be as prescriptive as say a regulation or or or certifiable standard but it does go to a relatively granular level um um so if I take the example of um contracts um as we’ll see later down the line it does touch on recommendations in terms of what security controls uh a company should consider. So should you consider um controls around instant management or instant reporting for example or change management and change reporting So where third party changes operations or processes or technology or if they suffer a data breach for example. And so it does start to um give some good clear sort of guidelines and expectations in terms of these are perhaps the controls we should be asking our third parties or incorporating into agreements or incorporating into questionnaires or whatever the approach is. So it does go to a certain level. Um and it’s important to note as well that um any of those considerations um are aligned to the 27,000 controls. So at the at the back of 36, it does have a one for one mapping. So for example, where 27,0001 touches on um the need for background checks for staff, staff contractors coming on site, there’ll be a similar human resource control within 36 that touches on consideration from a supply standpoint and and and some of the controls whereas you can consider um if if you need to go through background checks with the third party. Um so it is interesting that it does provide a level of granular detail but at the same time remaining relatively wide um um I guess as you’d expect with an ISO standard um being that they need to be adopted by any industry sector and size of business. Joe: Yeah, of course. I mean every organization is going to have a slightly different risk appetite going to engage with different different types of vendors and different services. Um so yeah that makes sense. It makes a more universal approach. Thomas: Very much so. Absolutely. Thomas: Thinking ahead to our next key point is obviously defining those information security requirements. So thinking back to 27,0001 controls saying a have you identified where information security sits in the supply chain but secondly where it sits in terms of contracts. What controls do we need to make mandatory for suppliers for example um before we engage with them and and than their service offering. And from a 27,0001 perspective, we’re looking at this risk management methodology, this quite clearly defined risk management approach that 27,0001 um starts off in. Um and then from a FA 27,01 and two approach, it’s those specific clauses, the 519 and 520 for example, of specific controls or clauses around developing those information security requirements. and defining agreements and what goes into an agreement. Um on the 36 side again we can see specific clauses that touch again on risk management process but also supply relationship agreements. So part 731 and we can start to see when we look at both of these there’s a lot of similarity in terms of uh the expectation and the guidance but also the requirements from from uh 01 as well. Take a couple of the in a bit more detail. So what is 519? So the requirement in 27,01 says processes and procedures should be defined should uh I guess being an operative word there um and implemented to manage information security risk associated with supplier product and service and 5.20 relevant information security requirements should be established and agreed with each supplier based on the type of release relationship. It is important to note Actually, for anyone who where version 2022 is new, these two clauses refer to the old A1511 and A1512 in the in the 27,0001 assessment um or standard, sorry. So, you got Clue 2 very well definfined um um process requirements from the standard um as you can see should be defined should be implemented information security comments should be established and agreed and And I mentioned obviously these two are very specific to supply chain but as we’ll see over the next uh uh one or two slides. This also points to the wider use of the 27,0001 standard and these controls should never be taken in isolation. And what 27,0002 does is expands them and starts to draw on the other um 89 controls in the in the in the in the standard framework. So you know consideration for access control control, data backup, data security, standards, personnel, instant management, so on and so forth. And it starts to broaden out the consideration that well, what control should we be using? Where do we even start? We start with the 89 other controls that the standard provides us um and then using 27,0002, it helps us to work out, well, how do we implement them or which ones are important to us or which ones should we be using um um when engaging with our supplier. It’s always quite a difficult area to think about because obviously each supplier is different, each product and service is different and also the complexity of each third party. So it’s quite it can be quite a time consuming uh area that requires a lot of thought and again this is where 36 can then come in um in in in a very helpful manner because 36 offers proposals in terms of this is what an agreement should look for. This is what an agreement should consider. So we can see at the bottom here security controls required across information ICT security personnel, physical security, use of change management, incident management, any form of compliance monitoring or or enforcement. So, so 36 is already starting to draw on some of the controls, some of the areas that 27,02 will also pick up on. And so, this is again where you can see some of the benefit of saying, well, we want to use 27,0001 or we need to use it for various purposes. Um, and and it gives us certain level of consideration. But 36 also offers a lot of different areas that we need to be thinking about within our supplier agreement. And it may be that there are areas that have not been considered before. We haven’t considered the use of change management. Actually, yes, based on what the third party is doing if they’re managing critical systems and applications for us. Actually, change management may be very very vital particularly are significant changes that impact um our applications or our systems or our uh data as well. So maybe This is a mandatory control that we implement within our supply contract. In a similar vein to instant management should the third party suffer any form of physical security or data breach or anything else um um that that that harms or could has the potential to harm information um and and systems managed by the third party. So you can see a good blend between how 36 requirements can expand and and discuss more broadly have you considered these areas within the contract and the more specific areas around 27,01 and two around we need to think about A B C and D in terms of defining or recording security requirements. Joe: Yeah. And seeing um the 36 requirements there mapped out uh really starts to allow you to build those links between the considerations of what you might be doing internally as well. So if you are using this as a checklist or as a form of internal audit, you could actually use this as a um as a standard to start mapping your own internal controls against them to then define whether you’ve performed a review of your change management process for example when was it performed and who by. So you can start using this as more of a um you know a living standard that you can assess yourself against um and repeatable process as well. Thomas: So yeah, it’s nice to see this start to link back to specific controls and processes. Thomas: Absolutely. Um and it’s always important to note um A lot of this obviously revolves around a very successful um um and well-developed risk management process. Obviously, the more uh we we’ve identified, you know, our key supplier risk obly the easier it’s going to make to identify those controls. And then, as you’ve alluded to there, Joe, um um use of things like 36 to say, have we considered this and and and how do we approach it with our third party as well? Um and so, yes, there’s there there’s there’s a good relationship between all three of these standards and many others across the 27,000 family by developing a clear risk management framework. Um coming back to uh the second point um organizations can issue and manage control assessments that draw on um a structured and apologies um it’s tailed off there but it’s issuing and managing security assessments to third parties. What does this mean? So I’ve already mentioned 27,000 one has very well- definfined set of security controls um those 89 plus those four specific third parties and again this is where we’ve drawn the second set of clauses so 521 and 522 which is all about monitoring reviewing and addressing changes in supplier services and again we can draw on ISO 27036 around their risk management process because it’s within the risk management process of 36 uh that starts to pick up some of these monitoring activities as well. So in 27,01521 requires processes and procedures shall be defined and implemented to manage information security risk associated with product supply chain and the organization shall regularly monitor, review, evaluate and manage change in information security practices and service delivery. And obviously this monitoring, review and evaluation piece is is is quite critical. Again, it’s it’s been in place for 27,0001 since uh the original standard. And again, it’s an area that’s also enhanced across 36. What do we mean by obviously monitoring, reviewing, and evaluation? It’s consideration for how do we respond to trying to understand those controls, those requirements that the third party has in place. Are they being met? How successful are they? So, performance reviews, um performance reviews, um audits, remote audits, um setting SLAs’s, any other process or any other requirement um um that can give us confidence that the third part is doing what they say they do. Um and again in a similar vein 27,02 drawing on those initial controls and expanding them. So what do we mean by how do we respond to a change? So where a supplier has changed processes added in new processes or technology for example what does that mean for us as a business? So, it’s starting to get companies to think about um uh the impact assessments of what those changes mean and how do we respond. Joe: Yeah. And I think this is a really important one to emphasize because the earlier we take a step back and look at the 27,036 controls around, you know, potentially things that might need to be introduced into contracts, the earlier we do that, the more chance we actually have of managing a a supplier in the right way. Um Thomas: yes, Joe: it’s very often difficult to introduce these things later on in a contract or um or if there’s nothing in terminology, it’s very difficult to refer back to these at a later date. So I think it’s really important to step back and and review these as early as possible. Thomas: Absolutely. And again is that that that continual process of saying is what we’re recording is it fit for purpose? Um um particularly as it as it grows and it matures as well. It’s always important to stay on top of that process and make sure that what we’re doing is correct and al obviously aligned to our our own business practices. Kept on talking about risk management a few times um and just want to underline again that importance of risk management within 27,000. So the framework establishes quite a structured approach in terms of how companies go about identifying risk um recording documenting risk, aligning it to this concept of confidentiality, integrity and availability of information and information assets. Um, and then setting a framework for um identifying risk acceptance criteria for example um risk remediation and treatment plans um and and obviously risk ownership as well within the business. And although it can apply internally within the organization, it’s also a suitable framework to apply When you’re thinking about supply chain risk management as well, you can still adopt the same methodology and approach of have we really identified our true supplier risks and do we have a process to monitor, measure, manage, review um and take ownership of those risks or at least engage the vendor to make sure those risks are managed appropriately. And obviously all this leads into um risks uh which can be unique depending on criticality of suppliers, type of services, type of activities they’re providing. to us overall complexity of those suppliers. Um there’ll be some risks that are different from supplier to supplier based on for example whether they’re handling sensitive or personal information for example and then there data security risks to those companies um developing applications and software solutions to companies that are offering neither of those and and have very little inter interaction with um sensitive data for example. And obviously the purpose within 27,0001 is by Developing that structured approach to risk management and identifying the level of impact to CIA confidentiality integrity availability should help manage what security control requirements we uh are using. What’s interesting with the current version of 27,01 um is it does expand on the concept of of categories and categorization of control requirements. Actually splits them across uh uh people requirements uh operational requirements, technology requirements um and so forth. So has quite clear structures that can help organizations work out what are the best controls for us that we need to be asking our third parties about as you can see from the um from the amber arrow going backwards again um looking at uh how effective is that risk management framework and do we need to adjust for new and emerging risk. So again thinking about as we discussed at the beginning um at the top of the hour sorry the beginning of the beginning of the session around uh everinccreasing uh volume of ransomware attacks, fishing threats and other similar vulnerabilities, thinking about the risk we’ve already explored with our supply chain. Do we need to add additional ones because these are becoming more common um and so we need to explore um controls around how they’re adapting or predicting or managing um um these type of of threats through security awareness training. For example, So taking a look back now in terms of some of the pros and cons of using the ISO standards. So I think it’s it’s it’s certainly true that using the the 27,000 framework and and and the series of standards can certainly be very uh invaluable um when designing or or complementing or improving your TPIM. Firstly, the fact that 27,0001 is an internationally recognized um certifiable standard in information security can go a very long way. Um it’s adopted across almost every country in the world by by a lot of different organizations and industries and sectors and it is seen um even now as a as a a strong stand of an organization’s sort of approach and due diligence and implementation of best practice frameworks around around security and having a good security posture. As we’ve explored today, you Using 27,0001 but complementing it with other standards like 02 and 36 can allow for a more in-depth approach and structured framework for managing third party programs. So taking your requirements 27,01 building on top of it implementation guidance from 202 and best practice around the wider supply chain life cycle in 36 um and other best practice standards. So you can give a much more uh detailed and perhaps even more mature framework moving forward. Um, and the use of a very clearly defined riskmanagement approach within 27,0001 if done correctly um is always um can always help in making sure the controls that you select um are the most appropriate. Um so some very good I think positive comments to say about 27,000 particularly if you’re looking at the advantages say or disadvantages of using it over say NIST and other frameworks um but not least that international recognition and and the fact that that family is also growing. So you’ll find that there are other frameworks that are sector specific for example that could also be of benefit um to to implementing and maturing those those 27,0001 controls. However, it is important to remember the following as well. So 27,0001 in isolation may not cover the complete TPRM life cycle as you seen through 36 where there’s more emphasis in 36 on areas such as acquisition, supplier acquisition. It also covers other areas around uh exit and exit agreements or exiting from an agreement with the third party. And these are areas that are either either loosely covered or not covered at all in 27,01. And that’s why that benefit of using 01 with other frameworks can be of of of more use. Um the standards itself, regardless of whether you’re you’re certified or not, the standards are not free. Um there’s a cost involved in each standard. So obviously the more family of of of of physical standards I’m talking about here um there’s necessary cost implications in that and of course in the similar vein if you go through certification um that’s always something to bear in mind um controls are wide ranging. It still covers a lot of of of I guess the usual uh topics I mentioned asset management, access control, incident management and so forth. Um perhaps it doesn’t always cover the technical depth of say 853. However, where they both touch on um the need for a secure development life cycle um a uh segregation of um systems or development environments for example, but NIST will take that same topic but then expand in a bit more depth um in terms of extra consideration. So depending on your your your appetite and and how in-depth you need to go, it could be a perfect fit or it may not touch all those technical areas that you that you’re after. Um say for your your higher tier vendors um if you’re of that mindset or or going down that route. Joe: A very quick question on this. Is there a mapping between uh 36 and NIST to give you some advantage of seeing what’s covered but as more of a a free resource that could be leveraged u to get to get an understanding of the considerations. Thomas: Um so not direct within the 36 framework or at least the current iteration which is the 2022 version. Um I’m not aware of of the direct mapping. There’s mapping of course between 27,0001 and 36 as you’d expect. Um however I mentioned at the top of uh of the discussion that um there’s a similarity with 800161 which is the cyber security and and when you’re looking at both of them there is a very good um um relationship and and and um in terms of the core topics and both how both of them structured um from the outset of supply chain management through to the end. Um and chances are as as we said with many of these standards particularly given the close relationship between ISO controls controls and other controls that over time we will see a greater mapping and sort of alignment between frameworks to say you know this is the difference between what NIST says versus what ISO says versus versus something else. Joe: Thanks Tom. Thomas: So take a quick think about what can we do now? So obviously firstly it’s about identifying your third parties if you haven’t done already that process of adopting sort of tiers profiles criticality of of organizations based on criticality to the business whether you’re adopting rating systems based on high medium lows red amber green or something more acute um based on their access to information assets, their access to personal information for example and starting to profile those third parties to identify how we tier or categorize them. Um so is personal data being handled for example um are they they providing a service is very unique and they’re a single source supplier for example or concentration risk and once you’ve adopted this and again some of the benefits of 27,036 around the acquisition process starts to use 27,01 to to drive that risk assessment process using that dedicated framework. So how it goes about identifying security risk um deplying the defining supplier services to start supply uh information and access to systems and then identifying owners who are against who’s going to be managing those supplier risks and what acceptance criteria are we defining. Are we having a separate criteria for the type of supply risks or are using a wider business risk acceptance criteria based on wider business risk and risk management processes and then defining that risk treatment approach. How are we going to respond to supplier risk? Do we have clear immediation plans in place based on say recommendations and best practices from 27,02? I’ve already explained that a single control is expanded quite significantly into 2702. Do we want to use that as part of our risk treatment and recommended actions uh should the risk present itself? Obviously then assessing and determine those control requirements. What do we actually need to look for within our third parties using those best practices to develop an agreement? So thinking about 36 and those almost checklists of how we thought about incident and change management or have we thought about personnel security and starting to underline those requirements within an agreement or within a within a a service contract. Um it’s obviously it’s always worth identifying this part. There’ll always be some third parties where you don’t have a control over those contracts. If you’re thinking about perhaps some of those large cloud service providers such um such as AWS and so forth, it’s more we buy into their services. But you can still use these processes to conduct due diligence. Have we considered these areas? Are we we’ve identified the key security controls are important to us? Um can we see um uh whether these have been applied or these are in place um for those type of supplier engagements? And obviously making sure that those controls are are in place are based on those 27,01 and2 requirements. And then finally that process of executing that assessment and again that continual process of monitoring, reviewing, evaluating suppliers, it’s looking at 5.21 and 5.22 in the standard. Um but on top of that obviously going through the same monitoring, review and evaluating the TPI and process. So if you’re using 36, if you’re using another framework, if you’re just using 27,01 Is it still fit for purpose? Do we need to look at again how we’re identifying um uh uh risks, information requirements, and um uh monitoring processes as well. Before we head over to questions, I believe we have a uh short piece uh from Scott. Scott: Yes, sir. That’s right, Thomas. If you could stop sharing, I’ll share on my end. All right. All right, quick check. Can you see my screen? Okay, Thomas: see it clearly. Scott: Awesome. All right, just very briefly, uh, I want to leave plenty of time for questions because I’ve seen a few come through so far. I just want to touch briefly on how prevalent can help address um, you know, your third party risk management program requirements specific to ISO. When we talk to customers, what they tell us invariably that they want to accomplish are these three things. Number one, get the data they need to make better decisions regarding third parties, whether that be uh some visibility into uh the risk that they pose to the organization prior to onboarding or getting good data on their control environments and then validating those controls with external cyber security uh assessments or intelligence. Number two is increasing team efficiency and breaking down silos. You know, the security team is probably responsible in your organization for performing the assess the the assessments of vendors and thirdparty suppliers, but chances are procurement or risk management or uh you know legal or audit all have some say in the matter. So how do you get everybody together uh in the same solution looking at the same data to make good conclusions about uh or and well informed conclusions about uh about the third party. And then finally evolving and scaling your program uh over a long period of time whether that’s to accommodate new or fewer vendors or uh kind of a longer scale uh oper to to kind of mature the program over time and and bring it up to best practice. So those three things are generally what customers tell us they they want to achieve uh out of their program and that’s precisely what we helped organizations uh uh do and that is first and foremost to simplify and speed up onboarding with a single source of the truth and a process to you know onboard and manage a vendor throughout the life cycle. Uh giving access to multiple different uh organizations uh throughout the enterprise uh different teams the data they need to see in the format they need to see it in in order to make good and informed decisions about third parties. Second is to streamline the process and close gaps in risk coverage. You know chances are you’ve got a couple different tools in place to do this or do that. Maybe using spreadsheets to assess your vendors trying to line those up with ISO security controls as the case may be. Uh bringing in a couple of different data sources. We bring that together under one pane of glass and then extend that pane of glass to pretty much anybody in the in the organization uh u again so that you’re viewing and managing risk uh across the life cycle of that relationship uh and unifying the teams accordingly. Um and as I mentioned we address this for every stage of the relationship from you know giving you the ability to add automation and intelligence to RFX processes to giving you a single uh process and solution for onboarding contracting uh scoring inherent risks uh enabling you to Assess your vendors against any number of different risk requirements from IT security and privacy all the way to ESG or anti-briving corruption with a with a a set of ISO specific assessments built in the platform as well to help you with controls mapping to monitor and validate that information with multiple different sources of external intelligence excuse me manage SLAs’s and performance of those particular vendors beyond just uh you know security metrics and then give you a very prescriptive process to eventually offboard and terminate the vendor once that relationship uh comes to an end. Excuse me. Again, and then we help to uh address multiple different areas of risk with the prevalent platform. Again, I’ll kind of go through this pretty quickly so that we have time for for Q&A, but we’ve kind of bucketed those different risks into those six categories that you see here. Talked a lot about uh cyber security risks, security risk today uh in the upper leftand uh u um area of that slide there. But we also address multiple different areas uh not just from an assessment built platform but also continuous monitoring data uh that we consume and help to calculate scores. We deliver a solution that is a combination of our expertise uh the data we provide and then founded by the platform. You know we can do everything from manage the hard work of onboarding management and remediation and assessment of those vendors on your behalf if you choose to do so. Uh we can help you correlate what you find from those assessments with you know multiple different sources of uh of risk data and intelligence and Then how’s that all in the platform for workflow reporting and ongoing management? Again, ultimately at the end of the day, our goal is to help you be smarter in your approach to managing third parties, unify your processes, and be help you be much more prescriptive in in how you execute uh that program and grow that program uh over time. Last thing is uh for me anyway, uh we produced something called the ISO third-party risk management checklist. It’s a 30-page guide that we put together that takes a lot of what Thomas and Joe uh talked about today, mapped that uh to very specific capabilities and needs that you might have uh from a third-party risk management perspective and then identified some best practices that help you get to uh to where you’re going. So, you know, you can see a link for it there. I realize you can’t download it uh uh from from the slides here, but uh you know, we’ll be sending out uh these slides and the and the presentation for you tomorrow uh so you can get access to that that checklist. All right, that’s all I wanted to offer today. I’m going to pitch it back over to Uh, Ashley. Ashley, I guess we can open up for questions now. Joe: Or maybe Ashley’s not there. Thomas: Yeah, I can see we have one question I can probably cover off uh if we’d like. Joe: Yeah, sure. Tom, we’ve had a question come in asking where we can find out more about ISO 27,0001. Um, obviously it’s a it’s a paid for set of sort of family of frameworks and standards. If someone wants to dig into the detail of the controls and specifically uh the 36 requirement, where should they go as a sort of source for information or um more data on what to expect? Thomas: Um so there’s there’s a few places um in terms of just getting to grips with um understanding what this the standards are. Um obviously ISO themselves, the ISO and IEA, the organizations who develop the frameworks um do obviously provide um abstracts on what those assessments are. Um any local certification bodies as well um depending on where where you are but most certification bodies around the world will also have um uh detailed overviews and assessments on what does the service you know what does the assessment mean what are the key or persons and controls uh captured in each of those frameworks. Um so in the UK anyone who’s in the UK, the likes of BSI and other other other standards bodies such as them. Um, and also auditing firms. Um, so there there’s a there’s a few different resources, there’s a few different areas. Um, but certainly ISO themselves do provide some quite handy abstracts actually to get to grips with, you know, what’s the difference between each framework and and and what can I expect? Um, even down to a quick overview of of of each respective control. Scott: Thanks, Tom. Uh, all right everybody, we’ve reached the top of the hour. We want to be sensitive to everybody’s time. Thanks everybody for joining today. A couple of other items before we close out. Yes, today’s uh webinar was recorded. We will send that out to you tomorrow morning. The recording along with the presentation and some other helpful materials. Um, and final question that came in, will you be doing a pros and cons of other frameworks or a comparison of the frameworks in the future? The answer is yes. Uh, actually Thomas and Joe have done this same type of presentation for NIST as well as SOCK 2. Uh and there may be some others coming on the horizon. All right, so once again, thanks everybody for joining today. Look forward to seeing you all very soon. We’ll follow up accordingly. Have a great day everybody. Thomas: Thank you.