Common Questions When Managing Supplier Information Security Risks

Matt Thomas
|
Product and Risk Director at URM
|
PUBLISHED on
5 Sep
2024

Suppliers and supply chains are essential to the continued success of any organisation, however they can also pose significant security risks.  If a supplier has access to your systems and information, any attacks or breaches it suffers could also have a significant impact on your organisation and even lead to sensitive information being exposed.  As such, it is vital to conduct supplier information security risk management by determining and verifying the effectiveness of your suppliers’ information security policies, processes and controls.  And it is important to note that this process is not complete once suppliers have been onboarded. Understanding the security posture of their subcontractors, conducting audits to validate the efficacy of their information security programme, and (in some cases) carrying out joint incident response exercises are all vital in ensuring information security is maintained throughout your ongoing engagements with different suppliers.

In this blog, Matt Thomas (Product and Risk Director at URM) answers key questions on information security supply chain risk management, with a particular emphasis on the aspects to consider after a supplier has been selected.  This blog is based on a webinar '5 Steps to Improve Your Supplier Information Security Risk Management', delivered in 2024 by Matt and Lauren Gotting (New Business Manager at URM), where Lauren and Matt provided valuable advice on how organisations can improve their supplier information security risk management.

Risk Management of Supplier Subcontractors

Do you need to conduct information security risk management for your supply chain/suppliers’ subcontractors?

Whilst information security risk management is almost always necessary for your immediate suppliers, it can be difficult to determine when risk management relating to your suppliers’ subcontractors is required, and when this is superfluous.  URM has found that it may be useful to conduct supply chain mapping of your suppliers’ key subcontractors, and this is particularly true for those suppliers that are processing sensitive information (e.g., commercially sensitive information, and personally identifiable information or ‘PII’).  Where possible, you should include an element within your supplier contract that ensures you will be informed of any changes to the subcontractors they are engaged with.

What do you do if a supplier refuses to share information about their subcontractors?

In this circumstance, you will need to make a risk-based decision on how to proceed.  Depending on your risk appetite, you may be able to accept the risk and proceed in your engagement with the supplier without an understanding of the risks associated with its subcontractors.  Hopefully, however, you will be able to reach an agreement with the supplier in question, where you receive sufficient information to provide you with the necessary assurance that the risk is low enough for you to tolerate whilst still being acceptable to the supplier. For example, a supplier may not be able to provide you with a hard copy of their policies relating to their suppliers, but will be able to show these to you via a Microsoft Teams session to demonstrate that they have the appropriate policies in place.

Should contracts with suppliers include the right to audit their subcontractors?

Whilst it is important that you are able to verify the security posture of your suppliers’ subcontractors, auditing these subcontractors yourself is likely to be extremely onerous and impractical.  As such, we would recommend pushing the responsibility for this onto your suppliers by including a contractual requirement for them to provide you with a report on various measurements and metrics from their supplier management process.

Auditing Suppliers

How do you approach auditing your most critical suppliers?

First, we would recommend planning your audit schedule based on the categorisation of your suppliers and selecting appropriate controls to audit based on the product/services they are providing you with, instead of attempting to audit all of the clauses and controls from ISO 27001.  You may have a supplier that manages your key finance system, for example, so you would benefit from auditing the user management of its support users. There are a number of other key areas you should consider auditing:

  • Access controls
  • Data protection
  • Technical testing (such as a penetration test – this may be particularly useful for SaaS platforms, web applications, etc.)
  • Supply chain testing
  • Security included with development
  • Incident response
  • Training and awareness
  • Business continuity and disaster recovery
  • New threats and changes in regulation.

Should supplier audits be conducted remotely or in person?

Both approaches have their merits and drawbacks.  Remote audits are much easier and more convenient, and can be conducted over a couple of hours without needing to travel to a supplier’s premises.  However, remote audits can sometimes lead to you missing opportunities to build rapport and relationships, and learn more about the audited organisation, e.g., observe the visitor management process in operation.  As such, it may be best to make a case-by-case decision on which approach is most appropriate for each key supplier.  Again, you will be taking into consideration the products/services they provide.  If you are auditing the security of a data centre, for example, understanding the physical security measures it has in place will be extremely important and will generally only be practicable with a site visit.

What steps do you need to take following a supplier audit?

Once the audit has been completed, it’s important to ensure reporting is relevant and shared with all of the appropriate personnel, which may include your CISO, IT, IT, Security, Procurement, Legal, and Compliance teams as well as the respective supplier for in-depth review and action planning.

Including Suppliers in Development and Exercising of Incident Management Plans

When should suppliers be included in incident management exercises?

It is important to understand that you should only include your most critical suppliers in incident response exercising and those suppliers you have built a relationship with, as a significant level of detail, information and mutual support will be required from both parties to conduct an effective exercise.  The amount of effort required may not be justifiable for suppliers that have a lower criticality to your organisation, and will be difficult to achieve with a supplier you do not have a strong relationship with.

How do you ensure incident management exercises that include suppliers are meaningful?

To make the exercises more realistic and beneficial, we would recommend alternating which party is experiencing the incident, i.e., not always developing an exercise scenario in which the supplier has suffered an incident, but also scenarios in which your organisation has suffered an incident that the supplier is helping you respond to.  There are a range of realistic scenarios you could use in your exercises, however, in an information security context, the scenario of a cyber attack against the supplier tends to be used most frequently.  Due to their wide-ranging impact, there are a number of interesting aspects that emerge from cyber-attack scenarios, such as whether the incident is a data breach and whether it will need to be reported to any regulatory bodies.

Disruption to service delivery is another potential scenario that may be useful to consider, particularly when creating an exercise that involves an organisation such as a call centre or managed service provider.  The exercise will provide you with an opportunity to establish how an interruption to their services will impact your organisation, and how you and your supplier would work through any issues that arise.

Other Questions

Should supplier contracts for different suppliers be the same?

There are likely be some standard contractual clauses that are common to contracts with your different suppliers, however in the main, they should be tailored to each individual supplier in accordance with the services provided and the risks associated with that third party.  To learn more about developing supplier contracts, read our blog on How to Conduct Effective Supplier Information Security Risk Management.

When should organisations begin to consider a supplier risk management tool, rather than relying on spreadsheets?

As your supplier risk management increases in complexity, a supplier risk management tool will become necessary.  Whilst a tool will, most likely, not be required when you only have a small number of suppliers in place, as your supplier list grows and the number of individuals within your organisation responsible for different suppliers increases, the need for a tool will become apparent in order to manage the varying timescales, the different onboarding processes and supplier questionnaires, etc..

When assessing the information security criticality of your suppliers, should you consider CIA?

Confidentiality, integrity and availability (CIA) are the 3 fundamental principles that guide effective, best practice information security management (see our blog on What is the CIA Security Triad? Confidentiality, Integrity and Availability Explained for a comprehensive explanation of CIA and what it means in practice).  We would strongly recommend using these principles as a lens through which to assess the criticality of your suppliers.  You may, for example, find that you are sharing information that must remain confidential, but the availability of that information is less important, and it’s not as essential to ensure the information is kept up to date and accurate, i.e., that its integrity is maintained.  By evaluating suppliers in this way, you are more likely to achieve consistent and repeatable results when assessing the criticality of different third parties you are looking to engage with.

How URM can Help

One of the greatest challenges of managing risk in your supply chain is the administrative burden and significant possibility for human error when assessing numerous suppliers providing a diverse range of services. Abriska 27306, URM’s web-based supplier risk management tool, is the ideal solution for organisations that have numerous suppliers with various levels of risk.  Our supplier risk management software enables you to tailor your supplier questionnaire to ensure only relevant questions are sent to each supplier, as well as allowing you to ask more in-depth questions of those suppliers with greater access to your organisation’s sensitive information, whilst also improving efficiency by automating the distribution and analysis process.   Designed by URM’s information security consultants in line with established best practice, Abriska comes pre-populated with a core set of questions which are aligned with both ISO 27001 and ISO 27306, and which have been augmented with additional questions devised by our experts, helping you to action an effective information security supplier risk management plan.  With our cost-effective and reliable software, you can freely upload documents, use a single dashboard to manage all of your suppliers, and configure reminders and chasers to be sent automatically.  For each supplier, Abriska will also automatically provide you with a calculated risk score and a concise supplier report, therefore streamlining your business risk management process.

Matt Thomas
Product and Risk Director at URM
Matt possesses more than 15 years of experience working in information security and cyber security. He is particularly skilled and adept in the area of risk management and has led the development of URM's suite of Abriska risk management modules and underpinning assessment methodologies.
Read more

Do you need any help with ISO 27001 certificate?

URM can help you achieve ISO 27001 certification
Without doubt, URM helped us to achieve our planned objectives a lot sooner than expected. The engagement was a huge success and couldn’t have gone any better.
Group IT Director, UK Mail
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.