The organization’s role in the supply chain is identified and communicated.

Minimum security requirements have been set for partner companies handling our confidential information and these have been included in supplier agreements. Requirements vary depending on how critical information the partner handles.

It makes sense for requirements to consist of rules and practices that are followed in your own organization. You can divide the requirement levels into low, medium and high risk suppliers.

The organization has defined the certifications or standards required of key partners. Commonly recognized standards related to cyber security include:

• ISO 27001 (information security management system)
• SOC2 (general security, also called SSAE 16)
• ISO 27701 (data protection management system)
• ISO 27017 (cyber security in cloud services) or ISO 27018 (data protection in cloud services)
• other popular e.g. NIST (general), CSA (cloud software), PCI DSS (card payments and data)

Certifications required from partners can make organization's own partner management more efficient and provide good evidence of a particular level of security or privacy of the partner.

The organization's own role in the supply chain is defined and communicated to the necessary partners.

The organization agrees upon and implements a common information security risk management procedure and processes with stakeholders.

The organization should seek to integrate third-party risk management into its overall information security risk management. This should involve:

• Evaluating interdependencies
• Assessing risks related to contracts provided by third parties
• Addressing the scalability of risk management based on the organization's size and needs

The organization must communicate to suppliers their roles and responsibilities in supply chain security. It must also be ensured that suppliers understand their security guidelines and any other security responsibilities under the agreements.