10.1.1 Information security policy for supplier relationships  

Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets should be agreed with the supplier and documented.

• Indentify information security controls in relevant processess and procedures to address supplier access to the organization’s information. For example, if there is a special need for confidentiality of the information, non-disclosure agreements can be used. Another example is data protection risks when the supplier agreement involves transfer of, or access to, information across borders. 
• Create a standardised process and lifecycle for managing supplier relationships, inclulding:
  a) identify and document the types of suppliers, e.g. IT services, logistics utilities, financial services, IT infrastructure components, whom the organization will allow to access its information;
  b) define the types of information access that different types of suppliers will be allowed, and monitor and control the access;
  c) define minimum information security requirements for each type of information and type of access and obligations of suppliers to protect the organization’s information;
  d) monitor adherence to established information security requirements for each type of supplier and type of access; 
  e) define the procedure of handling incidents and contingencies associated with supplier access including responsibilities of both the organization and suppliers;
  f) define recovery and contingency arrangements to ensure the availability of the information or information processing provided by either party;
  j) address awareness training for the organization’s personnel interacting with supplier personnel.

See also: 

• NIST, Best Practices in Cyber Supply Chain Risk Management, https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-Risk-Management/documents/briefings/Workshop-Brief-on-Cyber-Supply-Chain-Best-Practices.pdf
  
• UK National Cybersecurity Centre, Supply chain security guidance, https://www.ncsc.gov.uk/collection/supply-chain-security
  

10.1.2 Addressing security within supplier agreements 

All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information.   

Establish and document supplier agreements to avoid misunderstanding between the organization and the supplier regarding both parties’ obligations. 

Develop the agreements with suppliers and include:
a) description of the information to be provided or accessed, sensitivity of information (classification) and methods of providing or accessing the information;
b) legal and regulatory requirements, including data protection, intellectual property rights and copyright, and a description of how it will be ensured;
c) obligation of each contractual party to implement an agreed set of controls including access control, performance review, monitoring, reporting and auditing;
d) list of supplier personnel authorized to access or receive the organization’s information or procedures or conditions for authorization;
e) incident management requirements and procedures (especially notification and collaboration during incident remediation);
f) training and awareness requirements for specific procedures and information security requirements, e.g. for incident response, authorization procedures;
g) relevant regulations for sub-contracting, including the controls that need to be implemented;
h) supplier’s obligations to comply with the organization’s security requirements and relevant agreement partners, including a contact person for information security issues;
i) screening requirements, if any, for supplier’s personnel;
j) right to audit the supplier processes and controls related to the agreement;
k) conflict and defect resolution processes. 

Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain. Organizations can influence ICT technology supply chain, including cloud computing services, security practices by making clear in agreements with their suppliers the matters that should be addressed by other suppliers in the information and communication technology supply chain.

10.2.1 Monitoring and review of supplier services

Organizations should regularly monitor, review and audit supplier service delivery.

• Monitoring and review of supplier services should ensure that the information security terms and conditions of the agreements are being adhered to and that information security incidents and problems are managed properly. 
• Monitor supplier service performance levels to verify adherence to the agreements. Review supplier audit trails and records of information security events, operational problems, failures, tracing of faults and disruptions related to the service delivered.
• Review service reports produced by the supplier and arrange regular progress meetings. 
• Conduct audits of suppliers or, if available, review independent auditor’s reports, and follow-up on issues identified. 
• Provide information about information security incidents and review this information.
• Designate an individual or service management team for managing supplier relationships and provide sufficient technical skills and resources to monitor that the requirements of the supplier agreements are being met. 
  

10.2.2 Managing changes to supplier services   

Changes to the provision of services by suppliers, including changes in policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.

Organization changes its policies, procedures and security controls, that have impact on supplier services agreements. Changes may include: 
a) use of new technologies and development of any new applications and systems, including new development tools and environments; 
b) modifications or updates of the organization’s policies and procedures; 
c) new or changed security controls; 
d) changes and enhancement to networks; 
e) changes to physical location of service facilities; 
f) change of suppliers; 
g) sub-contracting to another supplier.