In mid-2019, a medical testing company was informed by one of its vendors that the vendor had experienced a significant data breach. This data breach involved PHI (protected health information) of over 11 million individuals. While news coverage of this event mentioned the vendor, ultimately it was the medical company itself that faced the majority of coverage and is financially liable.
Setting up or maturing a third-party risk management program, though, can be difficult, regardless of an organization’s size. Fortunately, there are standards that help guide organizations to know how to establish or mature an appropriate third-party risk program. One of these standards is ISO/IEC 27001:2013.
ISO/IEC 27001:2013 (ISO 27001) is an international standard created jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Both entities are based in Switzerland. Many organizations, especially those based in the United States, are familiar with SOC 2 Type II (SOC 2). ISO 27001 is the international equivalent of SOC 2, and both standards aim to ensure certified organizations have a mature Information Security Management System (ISMS) in place that can adequately protect the data the organizations handle.
One key difference between these two standards (and this is common between most European and American standards and regulations) is that ISO 27001 is principles-based while SOC 2 is highly prescriptive. This means that organizations pursuing ISO 27001 certification have more flexibility in applying the standard’s requirements to their organization than they would with SOC 2.
Because ISO 27001 is a copyright-protected standard, we can’t share the specifics of what it requires for third-party risk management; however, we can discuss its general requirements and share industry best practices. Organizations should have a third-party risk management program in place that:
Let’s discuss these best practices in-depth.
Because of limited resources, thoroughly assessing every vendor is generally impractical. Organizations, therefore, should have a program in place where the thoroughness of assessments is directly tied to how critical the outsourced function is to the organization and/or the types of data that the vendor will process.
For example, if your organization is migrating to the cloud, the cloud service provider(s) should undergo an intensive, highly thorough security review prior to assessment. Conversely, a vendor that provides computer monitors may only need a minimal security review, if one at all.
One difficulty is that employees may engage a third-party without approval. To help mitigate this risk, security reviews should be a formal part of the procurement process. For example, your organization could require the security team’s signature on MSAs or your A/P team could notify the security team when they pay for any new vendors.
Once a vendor has been approved, it’s important that the vendor continues to be secure. Or if a vendor has been approved so long as they agree to remediate some findings over time, organizations need to have the ability to ensure those findings are remediated. Your organization’s contracts with vendors should, where appropriate, include language that requires the vendor to abide by specific security requirements. If the vendor fails to do so, then your organization is able to take action that reduces its risk profile (e.g., retaining the right to cancel the engagement).
Additionally, some regulations (e.g., GDPR) require data protection clauses to be in place in organizations’ contracts with their third parties.
Once a vendor has been approved and signed a contract, it’s important to regularly reassess the vendor. This ensures your organization isn’t exposing itself to unnecessary risks on an ongoing basis. As we discussed in the initial assessment phase, how in-depth these reassessments are should be tied directly to how critical the outsourced function is to the organization and/or the types of data that the vendor will process.
Traditionally, these reassessments have been conducted on an annual or (for high-risk vendors) semi-annual basis. One issue, though, is that these assessments only provide a point-in-time, often self-reported, overview of a vendor’s security posture. The same issue applies to the initial assessment of vendors. Another difficulty organizations have is being able to (re)assess their vendors when most organizations have many vendors.
RiskRecon’s service offering addresses these issues by providing real-time, independent verification of how vendors are performing. This enables organizations to address their vendors’ risks in real-time, rather than waiting until next year’s reassessment. Additionally, RiskRecon’s services enable security assessments to be conducted at scale. Clients can add as many vendors as they want and receive reports that automatically generate remediation plans to improve vendors’ security postures.
By integrating RiskRecon’s service offering into your organization’s third-party risk management program, you’ll be well-positioned to comply with ISO/IEC 27001:2013 and effectively manage your third-party risk.