ISO 27001 is the most popular internationally recognized standard for managing information security. Its creation was a joint effort between the International Organization for Standardization (ISO), and the International Electrotechnical Commission (IEC) - this is why the framework is also referred to as ISO/IEC 27001.

ISO 27001 can also be implemented into a Third-Party Risk Management program. However, many organizations struggle with identifying which security controls apply to vendor security and how to successfully map them to a Vendor Risk Management platform.

In this post, we highlight the specific ISO controls that apply to Third-Party Risk management and how to map them to features within the UpGuard platform.

Which ISO Standards Apply to Third-Party Risk Management?

Establishing the most resilient TPRM program with ISO standards requires the augmentation of three specific frameworks -  ISO 27001, ISO 27002, and ISO 27018.

Each standard's specific relation to third-party security is summarized below.

ISO 27001

ISO 27001 is the most popular internationally recognized standard for improving the information security of all IT systems and data processes, including those required in third-party vendor relationships.

ISO 27001 uses a risk management approach to systematically secure sensitive data across the three primary departments of an organization - IT systems, people, and processes.

For an overview of the ISO 27001 implementation process, refer to this checklist.

Learn how to meet the third-party risk management requirements of ISO 27001.

ISO 27002

ISO 27002 supports the implementation of all the security controls listed in Annex A of ISO 27001. These controls address all of the commonly exploited attack surface regions in the supply chain.

The 14 control sets of Annex A are:

  • Annex A.5 – Information security policies (2 controls)
  • Annex A.6 – Organization of information security (7 controls)
  • Annex A.7 – Human resource security (6 controls)
  • Annex A.8 – Asset management (10 controls)
  • Annex A.9 – Access control (14 controls)
  • Annex A.10 – Cryptography (2 controls)
  • Annex A.11 – Physical and environmental security (15 controls)
  • Annex A.12 – Operations security (14 controls)
  • Annex A.13 – Communications security (7 controls)
  • Annex A.14 – System acquisition, development, and maintenance (13 controls)
  • Annex A.15 – Supplier relationships (5 controls)
  • Annex A.16 – Information security incident management (7 controls)
  • Annex A.17 – Information security aspects of business continuity management (4 controls)
  • Annex A.18 – Compliance (8 controls)

ISO/IEC 27018

ISO 27018 presents third-party cloud service providers with additional guidance for protecting customer Personal Identifiable information (PII).

The ISO 27018 guidelines offer additional third-party security controls not offered in ISO 27002.

This is a particularly important section of modern third-party risk management because PII is the most coveted category of sensitive data amongst cybercriminals.

According to the 2021 cost of a data breach report by IBM and the Ponemon institute, customer PII was compromised in almost half of all observed breaches.

By also implementing an ISO standard dedicated to safeguarding customer PII into a TPRM, organizations could potentially halve number of successful data breaches.

Learn how to communicate third-party risk to the Board >

How to Meet TPRM Requirements With ISO 27001, ISO 27002 and ISO 27018

The complete ISO 27018 framework is applicable to vendor risk management, but only the security controls sections 15 of ISO 27001 and ISO 27002 address supply chain relationships.

Each applicable security control listed below is mapped to an UpGuard feature to demonstrate how the platform can be used to establish a resilient TPRM program with ISO frameworks.

How to Meet ISO 27018 Third-Party Risk Management Requirements

Securing cloud technology is not easy. The ease of onboarding, coupled with its broad range of integration options, means the cloud attack surface is continuously expanding - making cloud technology a high-risk attack vector.

To comply with ISO 27018's strictly personal data security expectations, a solution must be capable of scaling alongside the expanding cloud network.

How UpGuard can help

The UpGuard Third-Party Risk Management platform is capable of monitoring the information systems of both cloud solutions and third-party vendors for security vulnerabilities that could facilitate data breaches.

Because UpGuard is capable of monitoring multiple attack surfaces, you don't need to invest in separate information security management systems for cloud providers and third-party services.

UpGuard can manage the complete lifecycle of all security risks, including financial risks, across all attack surfaces, from detection to remediation and monitoring.

Click here to try UpGuard for free for 7 days.

How to Meet ISO 27001 and ISO 27002 Third-Party Risk Management Requirements

Security Control: 15.1 - Information security in supplier relationships

"To ensure the protection of the organization's assets that are accessible by suppliers."

How UpGuard can help

UpGuard's custom questionnaire builder allows organizations to develop risk assessments that are most relevant to the unique risk profiles of each asset.

Assessment results can then be used to tier vendors based on the levels of risk they pose to specific assets. This allows a more efficient distribution of remediation efforts where the most critical asset vulnerabilities are addressed first to significantly mitigate the potential for compromise.

Vendor Tiering by UpGuard
Vendor Tiering by UpGuard

By also continuously monitoring for third-party security vulnerabilities, UpGuard ensures all vendors accessing sensitive assets aren't vulnerable to cyberattacks, which significantly reduces the potential of third-party breaches.

Click here to try UpGuard for free for 7 days.

Security Control: 15.1.1 - Information security policy for supplier relationships

"Information security requirements for mitigating the risks associated with supplier’s access to the organization's assets should be agreed with the supplier and documented."

How UpGuard can help

UpGuard maps each vendor's risk profile against popular cybersecurity frameworks, including ISO 27001, and the General Data Protection Regulation (GDPR).

This process identifies specific compliance gaps that need to be addressed to achieve full compliance.

With UpGuard's single-pane-of-glass dashboard and security rating algorithm based on 70+ attack vectors, you can instantly identify declining security postures and the specific cybersecurity risks that are to blame.

Click here to try UpGuard for free for 7 days.

Security Control: 15.1.2 - Addressing security in supplier agreements

"All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information."

How UpGuard can help

With UpGuard's customer questionnaire builders, you can create bespoke assessments that address the specific information security obligations each third-party vendor has agreed to.

Click here to try UpGuard for free for 7 days.

Security Control: 15.1.2 (d)

"...obligation of each contractual party to implement an agreed set of controls including access control, performance review, monitoring, reporting, and auditing."

How UpGuard can help

With UpGuard's inbuilt reporting, stakeholders can track the development of each vendor's information security risks against their contractual security standards.

Highly regulated vendors - such as those in the financial or healthcare industry - need to comply with specific cybersecurity frameworks, such as SOC 2 and NIST.

With UpGuard's risk framework mapping and in-built remediation workflow, you can easily identify and address any security control deficiencies preventing such compliance.

Finally, security ratings and custom notifications, allow you to automate risk auditing by setting alerts for discovered risks of a particular severity.

Click here to try UpGuard for free for 7 days.

Security Control: 15.1.2 (m)

"...right to audit the supplier processes and controls related to the agreement."

How UpGuard can help

With UpGuard's superior UX design, you can intuitively locate the features regularly required to audit supplier processes and controls, such as risk assessments and compliance mapping.

This ease of access supports a repeatable, and scalable, audit workflow.

Click here to try UpGuard for free for 7 days.

Security Control: 15.1.2 (n)

"...defect resolution and conflict resolution processes..."

How UpGuard can help

With UpGuard's inbuilt remediation workflow, you can track the progress of each remediation request and identify roadblocks requiring your attention.

Risk remediation planner by UpGuard
Risk remediation planner by UpGuard

Click here to try UpGuard for free for 7 days.

Security Control: 15.1.2 (p)

"...supplier’s obligations to comply with the organization’s security requirements."

How UpGuard  can help

The UpGuard Third-Party Risk Management system helps you track the data security regulatory requirements of each third-party service through industry-standard vendor risk assessments and/or custom questionnaires.

Security Control: 15.1.3 - Information and communication technology supply chain

"Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain."

How UpGuard can help

UpGuard continuously monitors the entire attack surface for vulnerabitlies that could facilitate data breaches. These exposures could be related to any process of products across the supply chain, including information and communication technology.

Click here to try UpGuard for free for 7 days.

Security Control: 15.1.3 (d)

"...implementing a monitoring process and acceptable methods for validating that delivered information and communication technology products and services are adhering to stated security requirements."

How UpGuard can help

UpGuard's real-time security ratings help you monitor and confirm the remediation efforts of all third-party vendors to ensure adherence to due diligence practices and compliance requirements.

Click here to try UpGuard for free for 7 days.

Security Control: 15.2.1 - Monitoring and review of supplier services

"Organizations should regularly monitor, review, and audit supplier service delivery.

Monitoring and review of supplier services should ensure that the information security terms and conditions of the agreements are being adhered to and those information security incidents and problems are managed properly.

How UpGuard can help

Through real-time security ratings and attack surface monitoring., UpGuard continuously scans for security vulnerabilities reflecting the efficacy of risk management processes.

This helps you discover any lapses in information security practices violating cybersecurity agreements.

Click here to try UpGuard for free for 7 days.

Security Control: 15.2.1 (c)

"...conduct audits of suppliers, in conjunction with a review of independent auditor’s reports, if available, and follow-up on issues identified."

How UpGuard can help

UpGuard allows third-party vendors to showcase their cybersecurity due diligence with its Share Profile feature.

Any security documents can be uploaded to a Shared Profile, including completed risk assessments, questionnaires, and even audit reports from external independent auditors.

Click here to try UpGuard for free for 7 days.

Security Control: 15.2.1 (g)

"...review information security aspects of the supplier's relationships with its own suppliers."

How UpGuard can help

UpGuard's fourth-party risk monitoring feature maps the relationships between your third-party vendors and their suppliers, helping you track emerging vulnerabilities down to the fourth-party attack surface.

UpGuard can also help you detect and shut down any data leaks increasing the risk of a data breach - both internally and throughout the third, and fourth-party attack surface.

Ready to see
UpGuard in action?