Register of suppliers – free template
| Sieuwert van Otterloo |
Suppliers come in all shapes and sizes: utilities, cloud platforms, office facilities, email providers, equipment maintenance, accountants, freelancers, PEN-testers and last but not least, information security consultants like ICT Institute. Your relationship with them should include information security considerations.
The security requirements for suppliers depends on the service or product they provide. Your outsourced HR service handles employee’s personal data. You therefore need to check that they take adequate precautions to protect the data. You may also need to have a data processing agreement with them under the GDPR legislation. However, if they go out of business, it is relatively easy to find a replacement. In contrast, if your cloud service provider suffers a massive outage, your whole business may go offline.
It is good practice to maintain a register of suppliers. The register can include information security requirements, where relevant. You are unlikely to have to consider information security for you coffee supplier, but you definitely do for a cloud provider. Keeping a register you can help keep track of external information security risks. A well-kept register makes conducting regular reviews to ensure that no weaknesses have emerged easier. The register can be in any format, but to make your life easier, we’ve developed an Excel template that is free to download.
Supplier relationships in ISO 27001
If you’re looking to get certified for ISO 27001, you need to formally document the information security aspects of your supplier relationships. This falls under appendix chapter 15: supplier relationships. The first step is to make a clear policy for addressing information security within supplier relationships. This sets ups how and when information security requirements are decided and reviewed.
For each supplier, the relevant security requirement are agreed between the supplier and organisation, normally in a contract. Security requirements depend on the service: for business critical services such as cloud providers, requirements might include an ISO 27001 certificate. Requiring good service may be enough non-critical providers or where there is a lot of choice in the market and changing supplier is easy. This may be the case for mobile telephone providers.
Whatever requirements you choose need to be monitored and reviewed. For example, adequate uptime and evidence of recertification for a cloud provider would both indicate that the supplier meets information security requirements. The supplier relationship policy should include what to do if a supplier fails to meet the chosen requirements. In some cases, this will mean finding a new supplier. In others, the organisation could alter the supplier agreement.
For more information on supplier relationships and appendix 15, please visit out ISO27002 explained blogpost.
Supplier relationship register template
We have developed an Excel template that you can download here for free. Each supplier has one line with contact details and description. Most important are the columns for information security requirements. Documented requirements are evidence such as relevant certification (e.g. ISO 27001, ISO 27701, ISO 9001 or NEN7510) and data processing agreements. Practical requirements are everyday indicators such as uptime of cloud storage provider, a clear report from a PEN-tester or a reaction within 24 hours from your external data protection officer. Evidence that the supplier meets these requirements should be collected throughout the year and recorded in the spreadsheet. Documented evidence means that you can easily assess whether the supplier meets your information security requirements.
Image: Petrebels via Unsplash.com
Dr. Sieuwert van Otterloo is a court-certified IT expert with interests in agile, security, software research and IT-contracts.