Which security clauses to use for supplier agreements?

Running a business on your own these days is practically impossible. Maintaining high levels of performance in every aspect of your business to stay competitive means draining precious resources that would be better invested in business growth and diversification. Thus, using suppliers becomes an attractive alternative.

But, while suppliers are becoming vital to every organization’s operations, this scenario introduces new risks that must be considered. For information security, valuable and sensitive information will now be handled by suppliers, and without proper treatment, this leads to increased risk of information confidentiality, integrity, or availability being compromised.

In the article 6-step process for handling supplier security according to ISO 27001 we presented an overview of an ISO 27001-based process to manage suppliers’ security. Now, this article will detail some security clauses you should seriously consider in supplier contracts to ensure proper protection of aspects of your business operations that are under suppliers’ control.

Why include security clauses in outsourcing contracts?

In short: security should be considered a deliverable, just like any other product or service an organization expects from its supplier.

When an organization runs a process to deliver products or services to its client, and adopt best practices like ISO 9001 or ISO 27001, it defines controls to ensure the process is performed with minimized risks to achieve established requirements (e.g., measuring points at critical steps, redundancies, etc.).

When an organization decides that outsourcing is a better cost-benefit option, it should not only consider the product or service to be delivered, but also ensure that related processes are properly implemented and controlled by means of security clauses, and most times this is not done, or verified, properly.


Security clauses to handle outsourcing risks

To ensure that the benefits of outsourcing operations outweigh the risks of including providers in the scenario, contracts should be written properly, and ISO 27001 control A.15.1.2 (Addressing security within supplier agreements) requires an organization to consider security clauses in contracts. Some examples of security clauses are:

Right to audit: clause ensuring the organization has the right to audit and test the security controls periodically, or upon significant changes to the relationship.

Notification about security breaches: clause requiring the provider to inform the organization in a timely manner regarding any security breaches that may impact the organization’s business. Generally, this clause is related to data breach notification laws that affect either the organization or the provider, or both.

Adherence to security practices: clause requiring the provider to adhere to the organization’s security practices, and to communicate any situations where this adherence is not achievable, helping to prevent security gaps or conflicts that could impair security performance.

Response time to vulnerabilities: clause requiring the provider to provide, in a timely manner, proper treatment for known vulnerabilities that may impact the organization’s business.

Demonstration of compliance: clause requiring the provider to provide independent evidence that its operations and controls comply with contractual requirements. This can be achieved, for example, by a third-party audit agreed upon by the provider and the organization.

Management of supplier’s supply chain risks: clause requiring the provider to ensure, within its own supply chain, the fulfillment of the same security clauses applied to the provider.

Communication of changes: clause requiring the provider to inform the organization in a timely manner regarding changes in its environment that may impact the organization’s business.

Maintenance of service levels: clause requiring the provider to inform the organization regarding its plans to ensure service levels in normal conditions and during disruptive events, on either the organization’s or the provider’s premises.

You should note this is not a definitive list and other clauses may arise from risk assessments, and that all contractual clauses should be reviewed by legal personnel to ensure proper wording and application.

Tailoring clauses to specific needs

Even though it may seem like a good idea to include all of these clauses in all of your contracts with suppliers, you should avoid this. Why? Because treating all suppliers the same way doesn’t make sense. Each one of them has a different relationship with you, and imposing all of these clauses on every supplier may render your contracts too costly, or severely restrict your options regarding which suppliers can comply with them.

To define which clauses to apply, you should focus on each supplier’s risks, by means of surveys, questionnaires, and gathering of controls documentation during supplier selection. To help you manage information on multiple suppliers, you can use criteria like:

  • categorizing suppliers based on what they do for you
  • prioritizing suppliers based on information you share with them, or information they may have access to

Do not let your suppliers’ risks affect your business

Handing over part of their operational activities to a capable partner through outsourcing is an option organizations cannot ignore anymore, but this does not mean that outsourcing should be managed without care regarding security.

By adopting ISO 27001 requirements and recommendations, an organization can benefit not only from better operational performance, but also from reduced costs of managing and monitoring third-party risks, including those on the provider’s own supply chain, greater agility in responding to risks in the environment as they arise, and the capacity to allocate resources on the development and growth of its core business.

To learn more about how ISO 27001 implementation can help you define security clauses for contracts with suppliers, try this free online training ISO 27001 Lead Implementer Online Course.

Advisera Rhand Leal
Author
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.


Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.