ISO 27001 is a globally recognized standard that governs the development and implementation of information security management systems (ISMS). It outlines guidelines, controls, and best practices to help you protect your systems and sensitive data.
Like many ISO standards, ISO 27001 also offers a framework for third-party risk management (TPRM). The idea behind this is that most businesses today work with SaaS vendors, agents, and other third parties that have access to sensitive business information, which calls for specific security measures.
Follow this guide to learn who should comply with ISO 27001 and which third-party risk requirements you must meet to do so.
Who needs an ISO 27001 certificate?
While ISO 27001 compliance isn’t mandatory, it offers an excellent framework to showcase your commitment to data protection. IT companies most commonly pursue this certification, but it’s also prevalent in industries like healthcare and telecom—essentially, any organization that wants to demonstrate alignment with ISMS best practices can benefit from ISO 27001.
Here are a few notable benefits of complying with ISO 27001:
- Continuously improving cybersecurity risk management processes
- Gaining competitive advantage over non-certified industry competitors
- Protecting all critical data assets, including intellectual property and financial reports
- Minimizing the potential attack surface a malicious party could exploit
- Facilitating trust and confidence with customers, investors, and internal stakeholders
Getting the certificate would require you to undergo an ISO 27001 audit, which examines numerous data security aspects, including whether your TPRM program is effective.
{{cta_withimage20="/cta-modules"}}
What are the TPRM requirements of ISO 27001?
Before we start our discussion on the third-party requirements of ISO 27001, it’s worth noting that the standard received significant updates in 2022 to factor in the evolved cybersecurity risk landscape and cover more relevant TPRM practices.
Earlier, most risk managers followed the 2013 version of ISO 27001, which outlined the relevant TPRM requirements in Annex 15: Supplier Relationships. However, ISO 27001:2022 lists similar yet upgraded controls under Annex A.5 Organizational Controls. The following table gives you a comparative overview of third-party risk controls under both versions:
We’ll discuss the relevant ISO 27001:2022 controls below and see how they impact your TPRM program:
- A.5.19 Information security in supplier relationships
- A.5.20 Addressing information security within supplier agreements
- A.5.21 Information and communication technology supply chain
- A.5.22 Monitoring, review, and change management of supplier services
1. A.5.19 Information security in supplier relationships
As per A.5.19, you should outline and implement processes and procedures to manage the third-party risks associated with the use of supplier products and services.
To meet this criteria, there are several aspects you can define in your third party management process, such as:
- Identifying vendors and vendor types
- Evaluating and managing vendor risks
- Handling vendor-related security incidents
- Onboarding and terminating vendors
Since these aspects require a systematic approach to monitoring vendors, the best practice is to develop a centralized inventory that will give you a bird’s-eye overview of your third parties and all the data points you want to monitor. The inventory can contain various information, most notably:
- Name and type of third party (supplier, distributor, SaaS provider, etc.)
- Business function(s) impacted
- Data and systems accessed
- Other associated risks
To create such an inventory, you’ll need to go beyond outdated tools like spreadsheets and opt for comprehensive TPRM software. Such tools make it easier to get a real-time (or at least near real-time) overview of your vendor inventory.
2. A.5.20 Addressing information security within supplier agreements
A.5.20 expands the previous requirement, obligating organizations to establish the necessary information security requirements within supplier agreements. It specifically mentions outlining security requirements based on the type of supplier you’re dealing with.
It’s important for organizations to assign a task owner for enforcing this control. This isn’t a problem for organizations with a dedicated legal team or department, as such teams can draft, monitor compliance, and amend the necessary provisions with ease. If you outsource such legal work, assign a senior team member within your TPRM program to track if your third parties are honoring the agreement.
This type of tracking can be a time-consuming and resource-intensive process. However, tools like security questionnaires can make it easier to collect proof of adherence to SLAs.
{{cta_withimage2="/cta-modules"}}
3. A.5.21 Information and communication technology supply chain
According to A.5.21, your agreement with suppliers who offer information and communications technology services must include requirements to address relevant information security risks. It’s a preventive control that typically requires you to perform extensive risk assessments and set up continuous monitoring of cybersecurity threats, such as:
- Phishing and ransomware
- Shadow IT
- Domain hijacking
From a practical standpoint, you can perform initial due diligence by gathering information regarding a third party’s approach to these threats. The goal is to learn about their security policies, technical security measures (firewalls, anti-malware, etc.), and internal procedures for safeguarding data and communication.
You’ll most likely want to perform regular reassessments based on the vendor’s risk tier, as well as maintain comparable risk scores for different third parties.
A risk assessment questionnaire or template can be quite valuable if you want your ISO 27001 auditor to have a trail of evidence to verify compliance with this requirement.
4. A.5.22 Monitoring, review, and change management of supplier services
This ISO 27001:2022 control has been formed by merging two controls from the 2013 version. This control requires you to regularly monitor, review, and audit your vendor processes, as well as manage any changes to the provision of services by suppliers.
There are numerous activities you can perform to fulfill this requirement, such as:
- Monitoring service performance levels against agreed-upon standards and KPIs.
- Auditing suppliers (and reviewing independent auditors’ reports).
- Reviewing a supplier’s internal third-party security practices and risk reports.
The change management aspect of the control is to ensure every vendor-related change is backed by initiatives to maintain or improve the current security procedure, policies, and controls. It encompasses reevaluating the criticality of enterprise information, systems, and vendor processes involved, as well as the reassessment of risks. Some instances where you’d have to monitor and manage changes include:
- The provider uses new technologies for service delivery.
- A third party makes significant changes to their security or privacy policy.
- A vendor decides to discontinue their partnership with you.
Let’s take the last scenario, for instance—a discontinued partnership could pose a significant threat to your organization’s information. You need to create a thorough offboarding process to ensure there’s no residual data or unchecked access that can be exploited either intentionally or accidentally.
A.5.22 does not have a one-size-fits-all approach—it’s best to consult your security or compliance team to identify the necessary tasks to fulfill this requirement.
{{cta_withimage5="/cta-modules"}}
Pursue ISO 27001 certification confidently with Vanta
If you’re pursuing ISO 27001:2022 certification, Vanta can automate the majority of the work involved. The platform’s ISO 27001 solution comes with pre-built workflows and in-depth guidance to help you build an effective yet lightweight ISMS.
Vanta offers a compliance checklist and real-time gap analysis to help you monitor pending requirements before you’re audit-ready for ISO 27001. If you need a solution focused on the TPRM aspect of ISO 27001 compliance in particular, Vanta’s Vendor Risk Management solution can support you. It comes with many features to streamline your TPRM program, including:
- Centralized vendor inventory with risk-based categorization
- Live dashboards with a clear overview of critical vendor data
- Simplified risk assessments with auto-scoring through configurable parameters
- Shadow IT discovery and security review tracking
For a detailed walkthrough of these features, watch our webinar or schedule a custom demo today.
{{cta_simple2="/cta-modules"}}
Regulatory compliance and industry standards
A guide to meeting the ISO 27001 third-party risk management requirements
Regulatory compliance and industry standards
ISO 27001 is a globally recognized standard that governs the development and implementation of information security management systems (ISMS). It outlines guidelines, controls, and best practices to help you protect your systems and sensitive data.
Like many ISO standards, ISO 27001 also offers a framework for third-party risk management (TPRM). The idea behind this is that most businesses today work with SaaS vendors, agents, and other third parties that have access to sensitive business information, which calls for specific security measures.
Follow this guide to learn who should comply with ISO 27001 and which third-party risk requirements you must meet to do so.
Who needs an ISO 27001 certificate?
While ISO 27001 compliance isn’t mandatory, it offers an excellent framework to showcase your commitment to data protection. IT companies most commonly pursue this certification, but it’s also prevalent in industries like healthcare and telecom—essentially, any organization that wants to demonstrate alignment with ISMS best practices can benefit from ISO 27001.
Here are a few notable benefits of complying with ISO 27001:
- Continuously improving cybersecurity risk management processes
- Gaining competitive advantage over non-certified industry competitors
- Protecting all critical data assets, including intellectual property and financial reports
- Minimizing the potential attack surface a malicious party could exploit
- Facilitating trust and confidence with customers, investors, and internal stakeholders
Getting the certificate would require you to undergo an ISO 27001 audit, which examines numerous data security aspects, including whether your TPRM program is effective.
{{cta_withimage20="/cta-modules"}}
What are the TPRM requirements of ISO 27001?
Before we start our discussion on the third-party requirements of ISO 27001, it’s worth noting that the standard received significant updates in 2022 to factor in the evolved cybersecurity risk landscape and cover more relevant TPRM practices.
Earlier, most risk managers followed the 2013 version of ISO 27001, which outlined the relevant TPRM requirements in Annex 15: Supplier Relationships. However, ISO 27001:2022 lists similar yet upgraded controls under Annex A.5 Organizational Controls. The following table gives you a comparative overview of third-party risk controls under both versions:
We’ll discuss the relevant ISO 27001:2022 controls below and see how they impact your TPRM program:
- A.5.19 Information security in supplier relationships
- A.5.20 Addressing information security within supplier agreements
- A.5.21 Information and communication technology supply chain
- A.5.22 Monitoring, review, and change management of supplier services
1. A.5.19 Information security in supplier relationships
As per A.5.19, you should outline and implement processes and procedures to manage the third-party risks associated with the use of supplier products and services.
To meet this criteria, there are several aspects you can define in your third party management process, such as:
- Identifying vendors and vendor types
- Evaluating and managing vendor risks
- Handling vendor-related security incidents
- Onboarding and terminating vendors
Since these aspects require a systematic approach to monitoring vendors, the best practice is to develop a centralized inventory that will give you a bird’s-eye overview of your third parties and all the data points you want to monitor. The inventory can contain various information, most notably:
- Name and type of third party (supplier, distributor, SaaS provider, etc.)
- Business function(s) impacted
- Data and systems accessed
- Other associated risks
To create such an inventory, you’ll need to go beyond outdated tools like spreadsheets and opt for comprehensive TPRM software. Such tools make it easier to get a real-time (or at least near real-time) overview of your vendor inventory.
2. A.5.20 Addressing information security within supplier agreements
A.5.20 expands the previous requirement, obligating organizations to establish the necessary information security requirements within supplier agreements. It specifically mentions outlining security requirements based on the type of supplier you’re dealing with.
It’s important for organizations to assign a task owner for enforcing this control. This isn’t a problem for organizations with a dedicated legal team or department, as such teams can draft, monitor compliance, and amend the necessary provisions with ease. If you outsource such legal work, assign a senior team member within your TPRM program to track if your third parties are honoring the agreement.
This type of tracking can be a time-consuming and resource-intensive process. However, tools like security questionnaires can make it easier to collect proof of adherence to SLAs.
{{cta_withimage2="/cta-modules"}}
3. A.5.21 Information and communication technology supply chain
According to A.5.21, your agreement with suppliers who offer information and communications technology services must include requirements to address relevant information security risks. It’s a preventive control that typically requires you to perform extensive risk assessments and set up continuous monitoring of cybersecurity threats, such as:
- Phishing and ransomware
- Shadow IT
- Domain hijacking
From a practical standpoint, you can perform initial due diligence by gathering information regarding a third party’s approach to these threats. The goal is to learn about their security policies, technical security measures (firewalls, anti-malware, etc.), and internal procedures for safeguarding data and communication.
You’ll most likely want to perform regular reassessments based on the vendor’s risk tier, as well as maintain comparable risk scores for different third parties.
A risk assessment questionnaire or template can be quite valuable if you want your ISO 27001 auditor to have a trail of evidence to verify compliance with this requirement.
4. A.5.22 Monitoring, review, and change management of supplier services
This ISO 27001:2022 control has been formed by merging two controls from the 2013 version. This control requires you to regularly monitor, review, and audit your vendor processes, as well as manage any changes to the provision of services by suppliers.
There are numerous activities you can perform to fulfill this requirement, such as:
- Monitoring service performance levels against agreed-upon standards and KPIs.
- Auditing suppliers (and reviewing independent auditors’ reports).
- Reviewing a supplier’s internal third-party security practices and risk reports.
The change management aspect of the control is to ensure every vendor-related change is backed by initiatives to maintain or improve the current security procedure, policies, and controls. It encompasses reevaluating the criticality of enterprise information, systems, and vendor processes involved, as well as the reassessment of risks. Some instances where you’d have to monitor and manage changes include:
- The provider uses new technologies for service delivery.
- A third party makes significant changes to their security or privacy policy.
- A vendor decides to discontinue their partnership with you.
Let’s take the last scenario, for instance—a discontinued partnership could pose a significant threat to your organization’s information. You need to create a thorough offboarding process to ensure there’s no residual data or unchecked access that can be exploited either intentionally or accidentally.
A.5.22 does not have a one-size-fits-all approach—it’s best to consult your security or compliance team to identify the necessary tasks to fulfill this requirement.
{{cta_withimage5="/cta-modules"}}
Pursue ISO 27001 certification confidently with Vanta
If you’re pursuing ISO 27001:2022 certification, Vanta can automate the majority of the work involved. The platform’s ISO 27001 solution comes with pre-built workflows and in-depth guidance to help you build an effective yet lightweight ISMS.
Vanta offers a compliance checklist and real-time gap analysis to help you monitor pending requirements before you’re audit-ready for ISO 27001. If you need a solution focused on the TPRM aspect of ISO 27001 compliance in particular, Vanta’s Vendor Risk Management solution can support you. It comes with many features to streamline your TPRM program, including:
- Centralized vendor inventory with risk-based categorization
- Live dashboards with a clear overview of critical vendor data
- Simplified risk assessments with auto-scoring through configurable parameters
- Shadow IT discovery and security review tracking
For a detailed walkthrough of these features, watch our webinar or schedule a custom demo today.
{{cta_simple2="/cta-modules"}}
Explore more TPRM articles
Introduction to TPRM
Vendor lifecycle management
Vendor risk assessment
Running a VRM program
Regulatory compliance and industry standards
Get started with TPRM
Start your TPRM journey with these related resources.
How to minimize third-party risk with vendor management
Get insights and best practices from security & compliance experts on how to manage third-party vendor risk in this free guide.
Vanta in Action: Vendor Risk Management
Vendor security reviews can be manual and time-consuming, draining security teams of precious hours. Vanta’s Vendor Risk Management solution changes that, automating and streamlining security reviews so that you can spend less time on repetitive work and more time strengthening your security posture. Curious to see what it looks like?
10 important questions to add to your security questionnaire
We’ve identified 10 critical questions to include in your security questionnaire and why each answer is vital for informed decision-making.