ISO 27701, Clause 6.12 – Supplier Relationships

ISO 27701 Clause 6.12.1.1 – Protection of Test Data

References ISO 27002 Control 5.19

Organisations need to implement policies and procedures that not only govern the organisation’s use of supplier resources and cloud platforms, but also form the basis of how they expect their suppliers to conduct themselves prior to and throughout the term of the commercial relationship, particularly regarding PII and privacy-related assets.

ISO 27701 6.12.1.1 can be viewed as the essential qualifying document that dictates how privacy information governance is handled over the course of a supplier contract.

Organisations should:

• Maintain a record of supplier types that have the potential to affect privacy information security.
• Understand how to vet suppliers, based on varying risk levels.
• Identify suppliers that have pre-existing privacy information security controls in place.
• Identify areas of the organisation’s ICT infrastructure that suppliers will be able to access or view.
• Define how the suppliers’ own infrastructure can impact upon privacy protection.
• Identify and manage the privacy risks attached to:
• Use of confidential information.
• Use of protected assets.
• Faulty hardware or malfunctioning software.
• Monitor privacy information security compliance on a topic specific or supplier-type basis.
• Limit the any disruption caused as a result of non-compliance.
• Operate with an incident management procedure.
• Implement a thorough training plan that informs staff on how they should interact with suppliers.
• Take great care in transferring privacy information and physical and virtual assets between the organisation and suppliers.
• Ensure that supplier relationships are terminated with privacy information security in mind.

Organisations should use the above guidance when forming new relationships with suppliers, and consider non-adherence on a case-by-case basis.

ISO acknowledges that commercial relationships vary wildly from sector-to-sector and business to business, and gives organisations leeway by recommending the explorations of “compensating controls” that seek to achieve the same underlying privacy protection principles.

ISO 27701 Clause 6.12.1.2 – Addressing Security Within Supplier Agreements

References ISO 27002 Control 5.20

When addressing security within supplier relationships, organisations should ensure that both parties are aware of their obligations towards privacy information security, and one another.

In doing so, organisations should:

• Offer a clear description that details the privacy information that needs to be accessed, and how that information is going to be accessed.
• Classify the privacy information to be accessed in accordance with an accepted classification scheme (see ISO 27002 Controls 5.10, 5.12 and 5.13).
• Give adequate consideration to the suppliers own classification scheme.
• Categorise rights into four main areas – legal, statutory, regulatory and contractual – with a detailed description of obligations per area.
• Ensure that each party is obligated to enact a series of controls that monitor, assess and manage privacy information security risk levels.
• Outline the need for supplier personnel to adhere to an organisation’s information security standards (see ISO 27002 Control 5.20).
• Facilitate a clear understanding of what constitutes both acceptable and unacceptable use of privacy information, and physical and virtual assets from either party.
• Enact authorisation controls that are required for supplier-side personnel to access or view an organisation’s privacy information.
• Give consideration to what occurs in the event of a breach of contract, or any failure to adhere to individual stipulations.
• Outline an Incident Management procedure, including how major events are communicated.
• Ensure that personnel are given security awareness training.
• (If the supplier is permitted to use subcontractors) add in requirements to ensure that subcontractors are aligned with the same set of privacy information security standards as the supplier.
• Consider how supplier personnel are screened prior to interacting with privacy information.
• Stipulate the need for third-party attestations that address the supplier’s ability to fulfil organisational privacy information security requirements.
• Have the contractual right to audit a supplier’s procedures.
• Require suppliers to deliver reports that detail the effectiveness of their own processes and procedures.
• Focus on taking steps to affect the timely and thorough resolution of any defects or conflicts.
• Ensure that suppliers operate with an adequate BUDR policy, to protect the integrity and availability of PII and privacy-related assets.
• Require a supplier-side change management policy that informs the organisation of any changes that have the potential to impact privacy protection.
• Implement physical security controls that are proportional to the sensitivity of the data being stored and processed.
• (Where data is to be transferred) ask suppliers to ensure that data and assets are protected from loss, damage or corruption.
• Outline a list of actions to be taken by either party in the event of termination.
• Ask the supplier to outline how they intends to destroy privacy information following termination, or of the data is no longer required.
• Take steps to ensure minimal business interruption during a handover period.

Organisations should also maintain a register of agreements, that lists all agreements held with other organisations.

Applicable GDPR Articles

• Article 5 (1)(f)
• Article 28 (1)
• Article 28 (3)(a), (3)(b), (3)(c), (3)(d), (3)(e), (3)(f), (3)(g), (3)(h)
• Article 30 (2)(d)
• Article 32 (1)(b)

Relevant ISO 27002 Controls

• ISO 27002 5.10
• ISO 27002 5.12
• ISO 27002 5.13
• ISO 27002 5.20

ISO 27701 Clause 6.12.1.3 – Information and Communication Technology Supply Chain

References ISO 27002 Control 5.21

When contracting out elements of their supply chain, in order to safeguard PII and privacy-related assets, organisations should:

• Draft a clear set of privacy information security standards that suppliers and contractors are fully-conversant with.
• Ask suppliers to provide information on any software components that are used to deliver a service.
• Identify the security functions of any product or service supplied, and establish how said products and services should be operated in a way that doesn’t compromise privacy information security.
• Draft procedures that ensure any products or services fall within accepted industry standards.
• Adhere to a process that identifies and records elements of a product or service that are crucial to maintaining core functionality.
• Ask suppliers to provide assurances that certain components have an attached audit log that evidences movement throughout the supply chain.
• Seek assurance that products and services don’t contain any features which may present a security risk.
• Ensure that suppliers consider anti-tampering measures throughout the development life cycle.
• Seek assurances that any products or services delivered are in alignment with industry-standard privacy information security requirements.
• Take steps to ensure that suppliers are aware of their obligations when sharing privacy information throughout the supply chain.
• Draft procedures that manage risk when operating with unavailable, unsupported or legacy components.

It’s important to note that quality control doesn’t necessarily extend to granular inspection of the supplier’s own procedures.

Organisations should implement supplier-specific checks that confirm third-party organisations as a reputable source, within the sphere of privacy information management.

ISO 27701 Clause 6.12.2.1 – Monitoring and Review of Supplier Services

References ISO 27002 Control 5.22

Organisations need to be continually aware of how supplier services are delivered – and to what levels – in order to maintain a safe, secure privacy information management operation.

To achieve this, organisations should:

• Monitor service levels in accordance with published SLAs.
• Address any service shortfalls or events as quickly as possible, particularly those that impact upon PII or privacy-related assets.
• Monitor any changes made by the supplier to their own operation that has the potential to impact privacy protection, including any service-specific changes.
• Ask to be provided with regular service reports, and scheduled review meetings.
• Scrutinise outsourcing partners and subcontractors, and pursue any areas for concern.
• Operate within agreed Incident Management standards and practices.
• Keep a record of privacy information security events, operational problems and faults.
• Highlight any information security vulnerabilities and mitigate them to the fullest extent.
• Be mindful of the suppliers’ relationships with its own suppliers and subcontractors, and how this impacts upon privacy protection within the boundaries of the organisation itself.
• Identify supplier-side personnel who are responsible for maintaining the terms of the service contract.
• Perform audits that confirm a supplier’s ability to maintain adequate privacy information standards.

Relevant ISO 27002 Controls

• ISO 27002 5.29
• ISO 27002 5.30
• ISO 27002 5.35
• ISO 27002 5.36
• ISO 27002 8.14

ISO 27701 Clause 6.12.2.2 – Managing Changes to Supplier Services

References ISO 27002 Control 5.22

See ISO 27701 Clause 6.12.2.1

Supporting Controls From ISO 27002 and GDPR

How ISMS.online Helps

It can be hard to know where to start with ISO 27701, especially if you’ve never had to do anything like this before. This is where ISMS.online comes in!

Our ISO 27701 solutions provide frameworks that allow your organisation to demonstrate compliance with ISO 27701.

Our Information Security experts can work with you to ensure that you develop a logical implementation process that aligns with the online documentation framework.

‌Find out more by booking a hands on demo.