Cyber supply chain

The organization agrees upon and implements a common information security risk management procedure and processes with stakeholders.

The organization should seek to integrate third-party risk management into its overall information security risk management. This should involve:

• Evaluating interdependencies
• Assessing risks related to contracts provided by third parties
• Addressing the scalability of risk management based on the organization's size and needs

A designated responsible person actively monitors the supplier's activities and services to ensure compliance with the security terms of the contracts and the proper management of security incidents.

Monitoring includes the following:

• monitoring the promised service level
• reviewing supplier reports and arranging follow-up meetings
• regular organization of independent audits
• follow-up of problems identified in audits
• more detailed investigation of security incidents and review of related documentation
• review of the supplier's future plans (related to maintaining the service level)

The organization has defined the certifications or standards required of key partners. Commonly recognized standards related to cyber security include:

• ISO 27001 (information security management system)
• SOC2 (general security, also called SSAE 16)
• ISO 27701 (data protection management system)
• ISO 27017 (cyber security in cloud services) or ISO 27018 (data protection in cloud services)
• other popular e.g. NIST (general), CSA (cloud software), PCI DSS (card payments and data)

Certifications required from partners can make organization's own partner management more efficient and provide good evidence of a particular level of security or privacy of the partner.