Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Learn more about the connected frameworks

15.1.1
ISO 27001

Toimittajasuhteiden tietoturvapolitiikka

15.1.3
ISO 27001

Tieto- ja viestintätekniikan toimitusketju

5.21
ISO 27001

Managing information security in the ICT supply chain

ID.BE-1
NIST CSF

Role in supply chain

Other tasks from the same security theme

Identifying critical IT partners

Critical
High
Normal
Low

The organization must identify critical IT partners. A critical partner (internal or external) refers to a partner without whom the operation is interrupted.

7.1 (MIL1): Identify and Prioritize Third Parties
C2M2

Organizing supplier management meetings to discuss digital security

Critical
High
Normal
Low

The organization regularly discusses information security with critical suppliers and other partners in supplier management meetings.

No items found.

Tietoliikenteen toimivuuden varmistaminen

Critical
High
Normal
Low

In telecommunication services and contracts, the availability of services that are important for operations in the event of disruptions has been taken into account.

The network environments and telecommunication services of important services are verified, for example, by duplication. Communication can be physically duplicated along two different routes by two different operators.

In important environments, it is ensured that the failure of a single communication component does not interrupt the operation of the service.

For example, a separate communication connection can be installed on selected workstations, which you can access the public information network through.

The fault tolerance of connections outside of Finland should also be taken into account during the contract phase.

No items found.

Prioritization of partners based on the confidentiality of the information processed

Critical
High
Normal
Low

The organization must prioritize partners based on the confidentiality of the information processed.

ID.SC-2: Suppliers and third party partners of information systems
NIST CSF

Supply chain cyber security risk management

Critical
High
Normal
Low

The organization agrees upon and implements a common information security risk management procedure and processes with stakeholders.

The organization should seek to integrate third-party risk management into its overall information security risk management. This should involve:

  • Evaluating interdependencies
  • Assessing risks related to contracts provided by third parties
  • Addressing the scalability of risk management based on the organization's size and needs
ID.SC-1: Cyber supply chain
NIST CSF

Defining supplier types that can access confidential data

Critical
High
Normal
Low

We define in advance the types of suppliers with whom cooperation requires access to confidential information or their processing areas, and through this e.g. demands data processing contracts. Such supplier types can be, for example, IT services, logistics, financial management and IT infrastructure components.

15.1.1: Information security policy for supplier relationships
ISO 27001
ID.BE-1: Role in supply chain
NIST CSF
5.19: Information security in supplier relationships
ISO 27001

Criteria for high priority partners

Critical
High
Normal
Low

The organization has defined the certifications or standards required of key partners. Commonly recognized standards related to cyber security include:

  • ISO 27001 (information security management system)
  • SOC2 (general security, also called SSAE 16)
  • ISO 27701 (data protection management system)
  • ISO 27017 (cyber security in cloud services) or ISO 27018 (data protection in cloud services)
  • other popular e.g. NIST (general), CSA (cloud software), PCI DSS (card payments and data)

Certifications required from partners can make organization's own partner management more efficient and provide good evidence of a particular level of security or privacy of the partner.

15.1.1: Information security policy for supplier relationships
ISO 27001
ID.BE-1: Role in supply chain
NIST CSF
ID.SC-4: Audit suppliers and third-party partners
NIST CSF
5.19: Information security in supplier relationships
ISO 27001
7.2 (MIL1): Manage Third-Party Risk
C2M2

Minimum requirements for partner companies to gain access to different levels of information

Critical
High
Normal
Low

Minimum security requirements have been set for partner companies handling our confidential information and these have been included in supplier agreements. Requirements vary depending on how critical information the partner handles.

It makes sense for requirements to consist of rules and practices that are followed in your own organization. You can divide the requirement levels into low, medium and high risk suppliers.

15.1.1: Information security policy for supplier relationships
ISO 27001
15.1.3: Information and communication technology supply chain
ISO 27001
ID.BE-1: Role in supply chain
NIST CSF
5.21: Managing information security in the ICT supply chain
ISO 27001

Defined security arrangements for providing critical network equipment

Critical
High
Normal
Low

The security arrangements required for critical online services, such as security features, service levels, and management requirements, are carefully defined in advance. Online services include e.g. connections, networks and network security solutions (e.g. firewalls).

The security features of online services can be e.g. the following:

  • required security-related technologies such as authentication, encryption technology, and network connection management tools
  • the technical parameters required for a secure connection to network services
  • online service usage criteria that restrict access to the online service or applications as needed
13.1.2: Security of network services
ISO 27001
15.2.1: Monitoring and review of supplier services
ISO 27001
ID.BE-5: Resilience requirements
NIST CSF
DE.CM-1: The network monitoring
NIST CSF
5.22: Monitoring, review and change management of supplier services
ISO 27001

Exit strategies for critical ICT services

Critical
High
Normal
Low

Organization has put in place exit strategies for any ICT services supporting critical or important functions to prepare for possible failures, deteriorations of quality or other business disruptions related service.

Exit strategies ensure that the organization can exit related contractual arrangements without:

  • disruption to their business activities
  • non-compliance with regulatory requirements
  • detriment to continuity and quality of services provided

Exit plans are comprehensive, documented and sufficiently tested and reviewed periodically.

As part of exit strategies, organisation has also identified alternative solutions and developed transition plans enabling them to switch services and transfer relevant data securely.

No items found.

Tietoteknisten ympäristöjen toimivuuden varmistaminen

Critical
High
Normal
Low

Tietoteknisissä ympäristöissä ja niihin liittyvissä sopimuksissa on huomioitu toiminnan kannalta tärkeiden palveluiden saatavuus häiriötilanteissa.

Tärkeiden palvelujen tietotekniset ympäristöt varmennetaan esimerkiksi kahdentamalla siten, että yksittäisten komponenttien vikaantumiset eivät aiheuta toiminnan edellyttämää palvelutasoa pidempiä käyttökatkoja.

Tietotekniset ympäristöt voidaan varmentaa varavoimalla tai varavoimaliitännöillä siten, että sähkönjakelu voidaan käynnistää riittävän nopeasti ja ylläpitää sitä riittävän ajan suhteessa toiminnan vaatimuksiin.

No items found.

Required security objectives for cloud service subcontractors related to offered cloud services

Critical
High
Normal
Low

When the organisation chooses to use another cloud service provider’s services for the provision of its own offered cloud services, the organisation must make sure that the information security level of its customers is maintained or exceeded.

To ensure this the organisation must specify required security objectives to the subcontractors included in the supply chain. These objectives should require performing risk management to accomplish the objectives.

15.1.3: Information and communication technology supply chain
ISO 27017

Confirming information security roles and responsibilities related to utilized cloud services

Critical
High
Normal
Low

When an organisation is using a cloud-based data system, the organisation should understand and confirm the related information security roles and responsibilities as stated in the service agreement.

These can include responsibilities related e.g. to:

  • Malware protection
  • Cryptographic controls
  • Backup
  • Vulnerability and incident management
  • Compliance and security testing
  • Authentication, identity and access management
15: Supplier relationships
ISO 27017
15.1: Information security in supplier relationships
ISO 27017
15.1.2: Addressing security within supplier agreements
ISO 27017
15.1.3: Information and communication technology supply chain
ISO 27017
5.23: Information security for use of cloud services
ISO 27001

Multiple providers for critical network equipment

Critical
High
Normal
Low

For example, when the fault tolerance of a telecommunication network is critical, it can be further improved by procuring basic network services through several routes and through several service providers.

13.1.2: Security of network services
ISO 27001
ID.BE-4: Dependencies and critical functions
NIST CSF
ID.BE-5: Resilience requirements
NIST CSF
8.14: Redundancy of information processing facilities
ISO 27001
8.21: Security of network services
ISO 27001