ISO 27001:2013 Clauses You May Be Overlooking – Supplier Engagement
If you use a third party to process your information, your responsibilities are as follows:
- assess the risk of what may happen to that information whilst in their care.
- clearly define what is going to be accessed by the 3rd party and what they can and cannot do with the information
- document the roles and responsibilities of both yourself as a data controller and them as a data processor in the contract
One MUST in all contracts is the reservation of audit and the “we reserve the right to physically audit the processes and supporting infrastructure you have in place to carry out the service you are providing/delivering on our behalf”. This caveat gives you the opportunity to act on the evaluation you carry out on the supplier against criticality and spend value to your business.
- conduct background or due diligence checks of the service provider
- ensure that the service provider is a reputable company and works to the same high standard as yourself
How to do this:
Many companies send a questionnaire to suppliers that enables you to make the decision to physically audit the processes being carried out and the infrastructure supporting those processes.
Awarding supplier contracts
The evaluation of risks will dictate the clauses required to be included in the contract (A15.1.2).
- You may require the information to be encrypted or have a form of pseudonymisation applied
- You may require that the staff working with your information have had a criminal record check
Transfer of information to suppliers
Another consideration for your supplier contract is stating how you will transfer information between yourself and the service provider. You need to ensure that there is a controlled method stated so that information is passed on on ‘a need to know’ basis,
Set up a process that allows restricted access to information the service provider needs, to perform the service only.
Incidents and breaches
Incident and Breach notification policy and processes must be stipulated for both GDPR and 27001 requirements. These policies and processes must state how a breach will be managed with timescales. Remember, you only have 72 hours to investigate the breach and decide if it needs to be reported to the ICO.
Continual monitoring and evaluation
When you have agreed on everything in the contract and you have all the assurances documented, it is still recommended that if this service provider is performing work that is critical to your business or there is a large spend value with this service provider, you should still physically audit them both to the contract requirements and the service level agreement. This is part of “Monitoring” in the standard and is referenced under clause A 15.1.2.
Ending the agreement
Include an exit strategy in the contract to ensure that your information (the clause in the standard that details this is A 8.1.3 assets) is returned or securely destroyed. Whether your agreement has ended under friendly or less-than-friendly circumstances, you need to make sure all your assets are returned (the clause in the standard that details this is A 8.1.4) and all access rights are removed.
Remember that there may be a legal requirement for the service provider to retain the information for longer than the contract, so ensure that you check their document retention policy prior to engagement to ensure you understand their obligations. Always check who the company are regulated by and what professional bodies they are members of as this may impact on your decision to engage the service provider in first place.
Do things right for 33% time savings
The 27001 is there to save you on average 33% of your time applying logic and strategy to businesses in the control of Information Security. There are many quotes such as “a stitch in time saves nine”, or “measure twice cut once” – these are the basic checks included in 27001, and, if you apply the 27001 correctly, it gives you the opportunity to proactively look at your business processes to change direction if required and keep the delivery of the business objectives focussed and achievable.
Still have questions about your organisation’s information security? Don’t hesitate to get in touch.