3 reasons to create an information security policy for supplier relationships
Creating an information security policy arms your employees with all the information, training and tools they need to identify and avoid cyber threats, allowing you and your team to proactively prevent problems rather than taking a reactive approach later. However, for full protection and consistency in mitigating risk, it is also recommended that you have an information security policy for supplier relationships.
This is covered under Annex A.15.1 of the ISO 27001 standard. The goal is to protect valuable assets accessible to or affected by suppliers and to ensure an agreed level of information security and service delivery in line with your supplier agreements. This is considered an important part of any information security management system (ISMS).
Want to know more? This article shares three benefits of creating an information security policy for supplier relationships.
#1. Protect assets accessible to or affected by suppliers
At the height of the COVID-19 pandemic, cybercrime had risen almost 600%, and even today, the detection rate is as low as 0.05%. This is a disturbing concept, considering cybersecurity breaches cause trillions of dollars in losses globally each year and can be devastating for even the most successful businesses.
- Financial loss from the theft of money, information and the disruption to your business
- Business loss from reputation damage
- Time loss while notifying the relevant authorities and institutions of the incident and getting your systems back up and running
- Security loss knowing you have to reevaluate your security protocols and resecure your business.
Cyber threats can come from criminals, competitors, clients, current/former employees and yes, even your suppliers. Whether intentional or accidental, it’s crucial to take a risk-based approach and create an information security policy for supplier relationships. This might include:
- Defining different types of information access for different types of suppliers
- Defining minimum information security requirements
- How information security will be monitored and controlled
- Processes and procedures for monitoring adherence to the policy
- Obligations of the supplier in protecting the organisation’s information
- Recovery and contingency agreements
- Awareness training required for the supplier and organisation’s personnel
- Appropriate rules of engagement and behaviour
- How information security controls will be documented
- How to manage necessary transitions and transfers of information
- How to manage changes to information security protection processes and procedures.
#2. Improved collaboration and working relationships
Suppliers are important — you need them to do work that you cannot do internally or you cannot do the work as cost-effectively as they can.
While all suppliers are valuable to your organisation, it is important to remember that not all suppliers are created equal, and a strict “one-size-fits-all” information security policy can get in the way of productivity. Some suppliers may be unable to adhere to all the controls and policies in a strict, standardised policy, putting a strain on your working relationship and making it harder to collaborate effectively.
Rather than creating a strict information security policy for supplier relationships, try to be more strategic when selecting suppliers and create an internal hierarchy based on their value to your business and their risk of breaching confidentiality. Where a supplier is deemed “high-risk” (e.g. they do not have their own ISMS) or has access to high-value information and assets, develop a closer working relationship with them.
This is more likely to improve collaboration, communication and productivity!
You should also have a clear agreement about what assets the supplier has access to, so you can control and regularly review the security around them.
#3. Compliance with ISO 27001
Creating an information security policy for supplier relationships should be considered essential for any ISMS, especially if you want to achieve or maintain ISO 27001 certification. Under Annex A.15.1, you must have appropriate measures in place to manage information security within the supply chain (including agreed policies) and continually review, identify and evolve controls to mitigate risk.
However, it is important to remember that Annex A.15.1 (information security for supplier relationships) is just one small part of ISO 27001 compliance.
At BusinessBasics, our ISO 27001 consultants can help you develop and implement a thorough, compliant ISMS, regardless of the scope or scale of your business. Through in-depth auditing, we will ensure your business complies with all ISO 27001 requirements (including information security for third parties) and provide recommendations to prepare your business for ISO 27001 certification.