ISO 27001 compliance provides greater assurance that an organization is adequately managing its cybersecurity practices, such as protecting personal data and other types of sensitive data.
Third-party risk management (TPRM) programs can benefit immensely from implementing the relevant ISO 270001 controls to mitigate the risk of significant security incidents and data breaches.
However, developing a robust TPRM program is already a time and resource-intensive feat on its own, without even considering the framework’s requirements.
This post outlines which ISO controls are relevant to TPRM and how the UpGuard platform can help meet each control’s objectives.
If you’re already familiar with ISO 27001, click here to skip ahead to the third-party risk requirements.
What is ISO 27001?
ISO 27001 is an international standard that guides the development of an information security management system (ISMS) to manage data security and information security effectively.
Developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), the framework is also known as ISO/IEC 27001.
It was first released in 2005 – the most recent version was published in February 2022, revising the longstanding ISO/IEC 27001:2013.
The standard consists of two parts:
- 11 Clauses (0-10): Clauses 0-3 introduce ISO 27001, and clauses 4-10 outline the minimal compliance requirements during the certification process.
- Annex A: Defines the 114 supporting controls required for compliance.
The Annex A controls are separated into 14 domains, ranging from A.5 to A.18:
- A.5: Information Security Policies
- A.6: Organisation of Information Security
- A.7: Human Resource Security
- A.8: Asset Management
- A.9: Access Control
- A.10: Cryptography
- A.11: Physical and Environmental Security
- A.12: Operations Security
- A.13: Communications Security
- A.14: System Acquisition, Development, and Maintenance
- A.15: Supplier Relationships
- A.16: Information Security Incident Management
- A.17: Information Security Aspects of Business Continuity Management
- A.18: Compliance
Domain A.15: Supplier Relationships covers the third-party requirements of ISO 27001.
Learn the next steps following an ISO 27001 audit >
ISO 27001 Third-Party Risk Management Requirements
The security controls applicable to third-party risk management are found in Annex 15 of both the ISO 27001 and ISO 27002 frameworks.
Annex 15 provides the following advice for third-party risk management:
- Develop an information security policy that details the security controls and policies that must be implemented for effective vendor risk management.
- Provide contractual requirements for any third-party vendor that may access, process, store, communicate, or provide IT infrastructure components to an organization’s data.
- Ensure supplier agreements address the information security risks associated with information and communications technology services and product supply chain.
- Monitor, review, and audit supplier service delivery regularly.
Learn how to communicate third-party risk to the Board >
15.1 - Information Security in Supplier Relationships
"To ensure the protection of the organization's assets that are accessible by suppliers."
How UpGuard Can Help
UpGuard automatically discovers potential vendor risks across 70+ attack vectors, allowing organizations to prevent potential data breaches through real-time reporting and automated remediation workflows.
Click here to try UpGuard for free for 7 days.
15.1.1 Information Security Policy for Supplier Relationships
"Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets should be agreed with the supplier and documented.”
How UpGuard Can Help
UpGuard maps each vendor’s security questionnaire responses against recognized security frameworks and regulatory requirements, including ISO 27001, General Data Protection Regulation (GDPR), and the Payment Card Industry Data Security Standard (PCI DSS).
This process allows organizations to quickly identify compliance gaps and track the vendor’s entire remediation workflow through the platform.
Click here to try UpGuard for free for 7 days.
15.1.1 a)
“Identifying and documenting the types of suppliers, e.g., IT services, logistics utilities, financial services, IT infrastructure components, whom the organization will allow to access its information.”
How UpGuard Can Help
UpGuard’s Vendor Tiering feature allows organizations to classify vendors based on the level of risk they pose through either manual or questionnaire-based tiering, enabling security teams to prioritize remediation efforts.
Manual tiering is ideal for stakeholders who require strict control over their risk management programs.
Click here to try UpGuard for free for 7 days.
15.1.1 b)
“A standardized process and lifecycle for managing supplier relationships.”
UpGuard allows organizations to monitor, assess, and manage the third-party risk management process by automating the entire vendor risk management lifecycle, from onboarding to offboarding.
The platform combines automated security questionnaires with real-time risk identification across the entire third-party attack surface to provide accurate insights into vendors’ security postures.
Click here to try UpGuard for free for 7 days.
15.1.1 e)
“Processes and procedures for monitoring adherence to established information security requirements for each type of supplier and type of access, including third-party review and product validation.”
How UpGuard can Help
UpGuard’s questionnaire library includes 20+ pre-built questionnaires which map to international security frameworks and regulations, including ISO standards. The platform’s custom questionnaire builder allows organizations to create and send questionnaires that cover each vendor’s unique requirements.
Click here to try UpGuard for free for 7 days.
15.1.1 h)
“Handling incidents and contingencies associated with supplier access including responsibilities of both the organization and suppliers.”
How UpGuard Can Help
UpGuard’s centralized dashboard leverages real-time data to streamline the third-party remediation process, alerting organizations when third-party risks are found and when vendors fix them.
Click here to try UpGuard for free for 7 days.
15.1.1 i)
“Resilience and, if necessary, recovery and contingency arrangements to ensure the availability of the information or information processing provided by either party.”
How UpGuard Can Help
UpGuard’s Compliance Reporting feature maps a vendor’s level of compliance with recognized security frameworks and regulations, such as ISO 27001. Organizations can use this information to proactively identify and remediate compliance gaps in collaboration with vendors to prepare robust incident response plans.
Click here to try UpGuard for free for 7 days.
15.1.1 l)
“Conditions under which information security requirements and controls will be documented in an agreement signed by both parties.”
How UpGuard Can Help
UpGuard’s Trust Page (formerly Shared Profile) allows vendors to proactively share their security posture and related documentation, like SOC 2 reports, to streamline the risk assessment process with current and prospective customers. Built-in messaging and the ability to set reminders and track questionnaire completion status, enabling more transparent communication of both parties' expectations.
Click here to try UpGuard for free for 7 days.
15.1.1 m)
“Managing the necessary transitions of information, information processing facilities and anything else that needs to be moved, and ensuring that information security is maintained throughout the transition period.”
How UpGuard Can Help
UpGuard’s custom questionnaire builder allows organizations to validate the processes, policies, and procedures their vendors have in place to cover crucial information technology and data security requirements.
Click here to try UpGuard for free for 7 days.
15.1.2 Addressing Security in Supplier Agreements
"All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information."
How UpGuard Can Help
UpGuard allows organizations to upload any additional evidence, such as audit reports and completed security questionnaires, to capture identified risks. These risks can be included in the vendor’s risk profile and used during the risk assessment process.
Click here to try UpGuard for free for 7 days.
15.1.2 (d)
"Obligation of each contractual party to implement an agreed set of controls including access control, performance review, monitoring, reporting and auditing."
How UpGuard Can Help
UpGuard’s Compliance Reporting feature maps vendors’ compliance to ISO 27001, enabling organizations to identify nonconformities and request remediation.
The platform’s Audit Log allows administrators to view and filter important events and see who performed them, including vendor onboarding dates, questionnaire completions, vendor risk score changes, and vendor remediation status changes.
Click here to try UpGuard for free for 7 days.
15.1.2 g)
“Information security policies relevant to the specific contract.”
How UpGuard Can Help
UpGuard’s library of pre-built questionnaires and custom questionnaire builder allows organizations to assess their vendors' compliance with 20+ popular security frameworks, including ISO 27001, to validate compliance.
All relevant contractual evidence, including documentation from the relevant certification bodies, can be stored centrally in the platform for unified access.
Click here to try UpGuard for free for 7 days.
15.1.2 (m)
"Right to audit the supplier processes and controls related to the agreement.”
How UpGuard Can Help
UpGuard provides transparency throughout the entire vendor lifecycle. The platform’s Audit Log records all actions taken between an organization and its vendors, providing crucial evidence for internal audits.
Compliance Reporting identifies areas of non-compliance to ensure adherence with ISO 27001 and other recognized frameworks and regulations, helping to streamline remediation workflows.
Click here to try UpGuard for free for 7 days.
15.1.2 (n)
"Defect resolution and conflict resolution processes."
How UpGuard Can Help
UpGuard’s centralized platform allows security teams to create and send security questionnaires, request evidence from vendors, and seamlessly manage the remediation process through automated workflows.
Click here to try UpGuard for free for 7 days.
15.1.2 (p)
"Supplier’s obligations to comply with the organization’s security requirements."
How UpGuard Can Help
UpGuard relieves organizations of the time-consuming back-and-forth of running an effective third-party risk management (TPRM) program with managed services.
A team of third-party risk analysts can handle laborious tasks, such as requesting risk assessments, chasing evidence, and managing the remediation process, enabling organizations to scale TPRM as their vendor inventory grows.
Click here to try UpGuard for free for 7 days.
15.1.3 Information and Communication Technology Supply Chain
"Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain."
How UpGuard Can Help
UpGuard offers a comprehensive third-party risk attack surface monitoring and management solution. The platform generates security ratings to provide a digestible measure of vendors' security postures, leveraging questionnaires and real-time risk alerts across 70+ attack vectors, including phishing, ransomware susceptibility (like WannaCry) man-in-the-middle attacks, DNSSEC, vulnerabilities, email spoofing, domain hijacking, and DNS issues.
Click here to try UpGuard for free for 7 days.
15.1.3 (d)
"Implementing a monitoring process and acceptable methods for validating that delivered information and communication technology products and services are adhering to stated security requirements."
How UpGuard Can Help
UpGuard’s Trust Page feature allows vendors to proactively upload supporting documentation, such as certification with recognized security frameworks, to validate compliance. Organizations can easily request further evidence or any required remediation through the platform.
Click here to try UpGuard for free for 7 days.
15.1.3 f)
“Obtaining assurance that critical components and their origin can be traced throughout the supply chain.”
How UpGuard Can Help
UpGuard provides visibility into an organization’s entire digital supply chain. The platform’s third-party attack surface monitoring extends to the automatic discovery of fourth parties, allowing organizations to validate their vendors’ reporting.
Click here to try UpGuard for free for 7 days.
15.2 Supplier Service Delivery Management
“To maintain an agreed level of information security and service delivery in line with supplier agreements.”
How UpGuard Can Help
Vendors of UpGuard customers can create a free account to answer questionnaires, complete risk assessments, and create a Trust Page to display crucial evidence required during the due diligence process proactively.
Click here to try UpGuard for free for 7 days.
15.2.1 Monitoring and Review of Supplier Services
"Organizations should regularly monitor, review and audit supplier service delivery.”
How UpGuard Can Help
UpGuard continuously monitors an organization’s entire third-party attack surface for security vulnerabilities, providing real-time risk alerts and security ratings to reveal each vendor’s security posture on demand.
Click here to try UpGuard for free for 7 days.
15.2.1 a)
“Monitor service performance levels to verify adherence to the agreements.”
How UpGuard Can Help
UpGuard’s custom questionnaire builder allows organizations to monitor important vendor cybersecurity risk management metrics, such as SLA compliance and other contractual agreements about cybersecurity.
Click here to try UpGuard for free for 7 days.
15.2.1 (c)
“Conduct audits of suppliers, in conjunction with a review of independent auditor’s reports, if available, and follow-up on issues identified."
How UpGuard Can Help
Trust Page allows service providers to display their cybersecurity due diligence by uploading evidence, such as completed risk assessments questionnaires and audit reports.
Click here to try UpGuard for free for 7 days.
15.2.1 (g)
"Review information security aspects of the supplier's relationships with its own suppliers."
How UpGuard Can Help
UpGuard monitors fourth-party risk by mapping relationships between an organization’s third-party vendors and their suppliers. This visibility allows organizations to track emerging vulnerabilities across the entire supply chain attack surface.
Click here to try UpGuard for free for 7 days.
15.2.1 h)
“Ensure that the supplier maintains sufficient service capability together with workable plans designed to ensure that agreed service continuity levels are maintained following major service failures or disaster.”
How UpGuard Can Help
UpGuard allows organizations to generate in-depth reports outlining a vendor’s security posture, including results from automated scanning, questionnaires, and any uploaded supporting evidence.
Internal stakeholders can use these reports to give vendors context around the corrective actions required to develop solid incident response plans.