Third-Party Risk Management and ISO 27001, 27002, 27701

BLOG 4 MINS | November 19, 2019
Third-Party Risk Management and ISO 27001, 27002, 27701

The International Organization for Standardized (ISO) is well known in the world of third-party risk management, especially within ISO 27001, ISO 27002, and ISO 27701. These standards set forth internationally accepted and trusted controls for, among other things, third-party risk management, including suppliers, processors, and other external service providers that access or handle information assets. Proper adherence to these controls can help your organization succeed across geographies and industries.

How does your third-party risk management program stack up against ISO 27001, 27002, and 27701? Download our third-party risk management compliance checklist to find out.

What’s the Difference Between ISO 27001, ISO 27002 ISO 27701?

In this article, we’ll focus on ISO 27001, 27002, and 27701. First, let’s understand the difference between these standards.

ISO 27001
ISO 27001 is the most well-known of these standards and outlines requirements for an information security management system (ISMS). This guidance is critical to ensuring the confidentiality, integrity and availability of information.

ISO 27002
ISO 27002 provides guidance on information security standards and management practices. It specifies how to select, implement, and manage information security controls. Specifically, ISO 27001 helps organizations:

  • Select controls for implementing an ISMS based on ISO/IEC 27001
  • Implement commonly accepted information security controls
  • Develop their own information security management guidelines

Both ISO 27001 and 27002 serve as the foundation for developing a privacy information management system (PIMS) as outlined in ISO 27701.

ISO 27701
ISO 27701 builds on ISO 27001 and 27002 by providing the requirements and guidelines necessary to create a privacy information management system (PIMS). A strong PIMS is critical to organizations that are responsible and accountable for the processing of personally identifiable information. Adhering to ISO 27701’s guidance enables organizations to protect the privacy of personal information.

What ISO 27001, ISO 27002, and ISO 27701 Means for Third-Party Risk Management?

ISO’s standards cover far more than third-party risk management. However, given vendors’ and other outsourced service providers’ access to and handling of personal data, third-party risk management is critical to meet the ISO standards and have a fully-integrated risk management system in place that covers information security and privacy. Below is a list highlighting some of the key third-party risk management controls:

Information Security Controls

  • Identify, define, and document the information security controls necessary for mitigating the risks associated with supplier access to your information assets
  • Ensure agreements with suppliers establish the relevant information security requirements for each supplier that may access, process, store, communicate, or provide IT infrastructure components for your data
  • Stipulate in contracts with suppliers the minimum technical and organizational measures they must implement to ensure that you meet your information security and data protection obligations

Supplier Service Delivery Management Controls

  • Develop policies and procedures to regularly monitor, review, and audit supplier service delivery
  • Create procedures to manage changes made in supplier services

Network Security Controls

  • Ensure contracts with outsourced network service providers include security mechanisms, service levels, and management requirements

Development Security Controls

  • Ensure contracts require suppliers to establish and implement security engineering principles that meet your own
  • Require outsourced information systems to adhere to data protection by design and by default principles
  • Supervise and monitor any outsourced system development activities to ensure compliance with applicable laws
  • Obtain evidence that outsourced services have appropriate levels of security and privacy quality

Third Party and Processor Controls

  • Implement appropriate security and privacy controls when transmitting personal data to third parties and processors
  • Maintain records of personal data transfers to third parties and processors, and ensure that they cooperate in fulfilling data protection obligations
  • Develop procedures and mechanisms for informing third parties and processors with whom you have shared personal data of any modification, withdrawal, or objections relating to the personal data

How does your third-party risk management program stack up against ISO 27001, 27002, and 27701? Download our third-party risk management compliance checklist to find out.

How OneTrust Vendorpedia Helps Third-Party Risk Management for ISO 27001, ISO 27002, and ISO 27701

With organizations’ growing use of cloud service providers, suppliers, data processors, and other outsourced parties, third-party risk management is an increasing concern. With OneTrust Vendorpedia, organizations can adhere to the controls laid out under the ISO 27000 family of standards. Beyond that, our Global Risk Exchange contains product-level detail on thousands of vendors to identify if they have obtained ISO certifications.

Want to learn more about OneTrust Vendorpedia? Request a demo today.

Onetrust All Rights Reserved