ISO 27001:2022 compliance provides greater assurance that an organization is adequately managing its cybersecurity practices, such as protecting personal data and other types of sensitive data.
Third-party risk management (TPRM) programs can benefit immensely from implementing the relevant ISO 270001 controls to mitigate the risk of significant security incidents and data breaches.
However, developing a robust TPRM program is already a time and resource-intensive feat on its own, without even considering the framework’s requirements.
This post outlines which ISO controls are relevant to TPRM and how the UpGuard platform can help meet each control’s objectives.
If you’re already familiar with ISO 27001, click here to skip ahead to the third-party risk requirements.
What is ISO 27001?
ISO 27001 is an international standard that guides the development of an information security management system (ISMS) to manage data security and information security effectively.
Developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), the framework is also known as ISO/IEC 27001.
It was first released in 2005, with the most recent version published in October 2022, revising the longstanding ISO/IEC 27001:2013.
The standard consists of two parts:
- 11 Clauses (0-10): Clauses 0-3 introduce ISO 27001, and clauses 4-10 outline the minimal compliance requirements during the certification process.
- Annex A: Defines the 93 supporting controls required for compliance, grouped into four categories:
- Organizational Controls (37 controls)
- People Controls (8 controls)
- Physical Controls (14 controls)
- Technological Controls (34 controls)
The updated Organizational and Technological controls in ISO 27001:2022 address third-party risk through enhanced requirements for supplier relationships and supply chain security.
The new Annex A includes 11 new controls, addressing modern security challenges such as threat intelligence, data leakage prevention, and secure configuration management. The previous domain structure (A.5 to A.18) has been replaced with a more streamlined approach that simplifies control selection and aligns with modern risk management practices.
Learn how UpGuard supports alignment with ISO 27001 >
ISO 27001:2022 Third-Party Risk Management Requirements
The security controls applicable to third-party risk management are predominantly found under the Organizational Controls section of Annex A in the ISO 27001:2022 framework. These controls provide guidance for managing the security risks associated with third-party vendors, service providers, and suppliers.
The specific links to TPRM in this section as as follows:
- Develop an information security policy that defines the security controls and procedures required for managing third-party risks, especially for vendors that access, process, store, or transmit organizational data.
- Ensure contractual requirements for third-party vendors address security concerns, including those related to access, data handling, and IT infrastructure management.
- Incorporate supplier agreements that address the information security risks associated with the information and communications technology (ICT) supply chain and service providers.
- Monitor, review, and audit supplier service delivery on a regular basis to ensure ongoing compliance with security requirements.
These controls aim to bolster supply chain risk management to reduce the impact of security incidents involving third-party entities in the supply chain.
You can use this free ISO 27001 risk assessment template to track each vendor's alignment with ISO 27001:2022.
5.9 – Inventory of Information and Other Associated Assets
"An inventory of information and other associated assets, including owners, shall be developed and maintained."
Control 5.9 of ISO 27001:2022 emphasizes the need for organizations to maintain an accurate and up-to-date inventory of their information and associated assets. This inventory list should ideally comprise physical, intangible, and digital assets.
- Physical asset examples: Hardware and servers
- Intangible asset examples: Data and software
- Digital asset examples: Any digital tools or services third-party vendors interact with.
There are six key aspects to control 5.9:
- Asset identification: Identifying and documenting all internal and external assets in the organization's digital footprint. This list should include assets shared with or managed by vendors.
- Assignment ownership: An owner should be assigned to each identified asset. The asset owner is responsible for overseeing the security controls applied to their designated asset and any emerging risks threatening its security.
- Lifecycle management: The asset inventory document must account for third-party access details for each vendor relationship lifecycle.
- Risk prioritization: Control 5.9 requires organizations to categorize assets based on their criticality and potential impact on the organization if compromised.
How UpGuard Can Help
UpGuard's Attack Surface Management features allow organizations to map their external digital footprint to help organizations maintain and up-to-date inventory of all their internet-facing IT assets interacting with critical information systems.
Watch this video for an overview of how the UpGuard platform can be used for Attack Surface Management.
5.19 – Information Security in Supplier Relationships
"Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier’s products or services."
Control 5.19 of ISO 27001:2022 ensures organizations have procedures for identifying and managing risks arising from supplier relationships. This control requirement is an important aspect of a data breach prevention strategy in a modern business context with increasing dependence on third-party services
Key aspects of 5.19 – Information Security in Supplier Relationships include:
- Supplier risk assessments: Regular point-in-time vendor risk assessments offering a detailed breakdown of each supplier's security posture and susceptibility to suffering a security incident.
- Access control and data handling: Strict access control policies limiting sensitive data access to the minimum levels required for external parties to provide their essential services. Third-party access control levels should be regularly reviewed to confirm ongoing alignment with this control.
- Incident response and contingency plans: A documented and regularly tested plan for how suppliers will respond to a security breach or essential service disruption
- Fourth-party risk management: The detection and management of security risks extending from the fourth-party attack surface, since these risks have a direct impact on an organization's susceptibility to data breaches.
How UpGuard Can Help
UpGuard automatically discovers potential vendor risks across 70+ attack vectors, allowing organizations to prevent potential data breaches through real-time reporting and automated remediation workflows.
5.20 – Addressing Information Security within Supplier Agreements
"Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship."
Control 5.20 of ISO 27001:2022 focuses on ensuring organizations formally establish and document the information security requirements their suppliers must adhere to. These practices could relate to information security controls focused on mitigating data breaches, and those relating to regulatory compliance.
Key aspects of 5.20 – Addressing Information Security within Supplier Agreements include:
- Tailoring Security Requirements to the Supplier Relationship: The intensity of supplier-related information security controls should depend upon:some text
- The type of data handled by the supplier
- The systems or applications the supplier has access to
- The geographic location of the supplier (due to different privacy laws)
- The potential impact of a security breach involving the supplier
- Defining Specific Security Controls in Contracts: Contracts and agreements should explicitly define the security controls each supplier must implement. Requirements could address:some text
- Data encryption: Details of the state of encryption (at rest or in transit) for each data process.
- Access control: The details of each individual's level of access.
- Incident response: Expectations of the supplier's response to security incidents impacting their contractual obligations relating to security controls.
- Compliance with standards: A list of standards and regulations the supplier must align their security strategy with, such as ISO 27001, PCI DSS, GDPR, or NIST CSF.
- Termination Clauses: Detailing the process of ensuring complete internal access removal for all de-provisioning supplier relationships.
How UpGuard Can Help
UpGuard's Trust Exchange product allows organizations to easily store security documentation, such as completed security questionnaires and audit reports, relating to each supplier relationship.
Sign up to Trust Exchange for free >
5.21 – Managing Information Security in the ICT Supply Chain
"Processes and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain."
Control 5.21 of ISO 27001:2022 focuses on managing the information security risks posed by suppliers and vendors within the Information and Communication Technology (ICT) supply chain
Key aspects of 5.21 – Managing Information Security in the ICT Supply Chain include:
- Risk Identification in the ICT Supply Chain: Organizations must develop processes for identifying, managing, and monitoring security risks associated with ICT suppliers.
- Supplier Security Requirements for ICT Products and Services: Establish clear security requirements for suppliers of ICT products or services. Guidelines should include provisions for secure coding practices, vulnerability assessments, and, ideally, penetration testing.
- Vetting and Approval Process for ICT Suppliers: Implement a due diligence policy to ensure that all newly onboarded ICT suppliers meet the organization's third-party risk appetite.
How UpGuard Can Help
UpGuard's real-time monitoring of third-party entity security postures through security ratings could help organizations detect ICT security risks in their supply chain before they're exploited by cybercriminals.
Learn about UpGuard's security ratings >
5.22 – Monitoring, Review, and Change Management of Supplier Services
"The organization shall regularly monitor, review, evaluate, and manage changes in supplier information security practices and service delivery."
Control 5.22 of ISO 27001:2022 focuses on the ongoing oversight of suppliers’ security practices and the services they provide. The purpose of this control is to ensure that suppliers maintain high standards of information security throughout their relationship with the organization.
Key aspects of 5.22 – Monitoring, Review, and Change Management of Supplier Services include:
- Continuous Monitoring of Supplier Performance: Ensuring they meet your specified security posture requirements.
- Periodic Reviews and Audits: Regularly complete risk assessments with suppliers to verify compliance with agreed-upon security standards.
- Change Management Procedures: Evaluate any changes in the supplier’s services, security practices, or management structure.
- Incident Management and Response: Collaborate with suppliers on incident response to ensure timely reporting, root cause analysis, and resolution of security incidents.
- Performance Metrics and KPIs: Establish key performance indicators (KPIs) to track each supplier's compliance with security obligations SLAs.
How UpGuard Can Help
UpGuard offers real-time attack surface visibility, helping organizations continuously monitor evolving threats in their expanding external attack surface.
