How to Meet ISO Third-Party Risk Management Requirements

ISO 27001 and Third-Party Risk Management

ISO 27001 is an international standard for the stringent evaluation of cyber and information security practices. It provides a framework for establishing, implementing, maintaining and continually improving information security management systems. Based on an international set of requirements, it outlines a systematic approach to securely managing sensitive company information

There are two supplements to consider as important third-party risk management corollaries to ISO 27001, including:

• ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection — Information security controls
• ISO/IEC 27036-2:2022 Cybersecurity – supplier relationships — Part 2: Requirements

ISO 27002 and Third-Party Risk Management

ISO 27002 is a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001. It helps organizations consider what they need to put in place to meet these requirements.

Together, ISO 27001 and 27002 are the foundation of most cybersecurity-related ISO standards. With respect to managing information security in supplier relationships, Section 15 of ISO 27001 and ISO 27002 summarizes the requirements for securely dealing with various types of third parties.

ISO 27036-2 and Third-Party Risk Management

ISO 27036-2 specifies fundamental information security requirements for defining, implementing, operating, monitoring, reviewing, maintaining and improving supplier and acquirer relationships. This standard is particularly relevant for third-party risk management as the requirements cover procurement and supply of products and services.

Clauses 6 and 7 in ISO 27036-2 define fundamental and high-level information security requirements applicable to managing each stage of the supplier relationship lifecycle.

ISO Third-Party Risk Management Requirements

Using a top down, risk-based approach, ISO standards provide the following guidance for managing suppliers:

• Create an information security policy for supplier relationships that outlines specific policies and procedures and mandates specific controls be in place to manage risk.
• Establish contractual supplier agreements for any third party that may access, process, store, communicate or provide IT infrastructure to an organization’s data.
• Include requirements to address the information security risks associated with information and communications technology services and product supply chain.
• Monitor, review and audit supplier service delivery.
• Manage changes to the supplier services, considering re-assessment of risks.

Prevalent helps to address each of these requirements.

Next Steps for ISO Compliance

The ISO standards presented here require robust management and tracking of third-party supplier security risk and data privacy. They specify the following:

• A policy for selecting suppliers based on information security practices should be in place
• A policy for managing risk should be in place
• A policy should be codified in supplier agreements
• Suppliers should be managed and audited to the agreed requirements

Having strong Information Security Management Systems is part of the supplier lifecycle and requires a complete, internal view of the controls in place as well as continuous monitoring of all third parties. This cannot be addressed with a simple, external automated scan or with spreadsheets. Prevalent delivers a unified platform that can help effectively audit supplier security controls to ensure ISO compliance.

Contact us today for a personalized demo or download The ISO Third-Party Compliance Checklist to learn how Prevalent can address your ISO requirements.