What to do when your ‘supply chain’ is really a ‘supply loop’
When I asked Bridget Kenyon – CISO (chief information security officer) for SSCL, lead editor for ISO 27001:2022 and author of ISO 27001 Controls – what she’d like to cover in an interview, she suggested supply chain security.
I asked her whether she was thinking about the CrowdStrike incident (which happened just a few weeks prior).
Bridget responded: “Not specifically. To be honest, supply chain security has been a perennial problem.”
I sat down with her to find out more.
In this interview
Challenges of supply chain security
What makes supply chain security challenging?
It’s a perennial problem for which there’s very little solution, because everything is connected to everything else.
We call it a supply ‘chain’, but that’s almost a misnomer. It’s more like a three-dimensional network. Everything you pull on moves something else. Not only that – it all connects back to itself. It’s a supply loop rather than a supply chain.
A basic example is a cleaning company. It often uses Microsoft Excel to do its reference work, and Microsoft might use that cleaning company to clean its offices. So, they are each other’s supplier.
But supply loops can get far more complicated.
How can you secure a ‘supply loop’?
If everything you do moves something else, then the only way you can do anything is together.
Think of it as taking a community-based approach. That’s probably why public entities tend to do better at this – they often have community-based values baked into their culture.
In short, it’s a case of ‘give and take’ – you don’t want to be wrist-slapping people, but you also don’t want to just take their word at face value.
That’s not so much because you think they might be lying. Organisations can sincerely believe they’re telling the truth – they just haven’t implemented something as well as they think.
Can you give us an example?
Suppose you ask a supplier whether it does patch management. It might say: “Yes, we patch every Tuesday.”
OK, great. But does anyone check whether those patches were successfully applied?
Often, the answer is ‘no’. Organisations might not check whether their controls are doing the job they’re meant to do. In the case of patching, they might not have checked that the patched systems have been restarted to ensure the patch takes effect, for example.
[Interviewer note: Damian Garcia, our head of GRC (governance, risk and compliance) consultancy, discusses this in more detail in this interview. Specifically, he explains how to monitor and review risks.]
Strategies for conducting due diligence
What’s the easiest way to establish whether there’s a gap between what the organisation thinks it’s doing and what it’s actually doing?
External validation is an obvious one.
You can save yourself a lot of trouble by getting somebody else to validate the measures for you. You basically ask your supplier to prove it’s being sensible about security by showing its certificate.
Lots of options exist, from ‘bargain basement’ ones like Cyber Essentials and Cyber Essentials Plus, to standards like ISO 27001 and the PCI DSS [Payment Card Industry Data Security Standard].
What if your supplier doesn’t have such certification?
You could get an independent third party to assess the supplier’s security measures. That puts this third party’s reputation on the line, so you should be able to trust what they say. They can also advise on the level of maturity of your supplier’s security.
Alternatively – and a lot of organisations take this approach – you can ask your suppliers to complete a security questionnaire, and you make them liable for misrepresenting their position.
On top of that, when you’re reviewing the answers, read between the lines. You may want to take out organisations that select ‘yes’ for everything, because they’re likely either lying, or they don’t know the first thing about their own security.
What else can organisations do to check suppliers’ security?
Direct testing is another option.
Some places I’ve worked at conducted either annual penetration tests or monthly vulnerability scans on key suppliers.
On a different occasion, at a previous organisation, we were the supplier, and our customer had us audited once every one or two years. The trouble was that this customer allowed their auditor to pick their own criteria, which were completely arbitrary. And those criteria changed every time!
To put it mildly, this didn’t lead to a harmonious relationship between us and our customer – because that auditor found something every time, as they kept moving the goalposts.
Worse, those criteria bore no relationship to any risk. The auditor simply used a list of ‘best practices’, which they blindly applied. They’d say things like: “You don’t change your passwords every 30 days.” Well, no, because that’d be stupid! It’d serve no purpose as far as improving security goes.
In short, we didn’t enjoy that experience.
How can organisations do their due diligence on their suppliers without aggravating them?
Make sure your tests or checks are done in a truthful way, with some kind of consistency within – and rationale for – the questions or criteria. This puts you in a strong position.
At the end of the day, security is about risk. Any checks and controls need to reflect that.
Finding this interview useful? To get notified of future
Q&As and other free resources like this, subscribe to
our free weekly newsletter: the Security Spotlight.
Securing your supply chain with ISO 27001
Coming back to certification, this does seem like the neatest solution. Should organisations be aware of any drawbacks?
An ISO 27001 certificate, or whatever, doesn’t automatically cover an entire organisation. So, check that it accounts for the scope of services you’re looking to have delivered.
It’s not uncommon for organisations to have included [metaphorically speaking] only a broom cupboard in their scope.
The first time a large, well-known telecoms provider got ISO 27001 certification, for example, the certification covered just one small call centre – a tiny part of the organisation. But the provider told everyone: “We have ISO 27001 certification!”
In one of your older interviews, you recommended that organisations new to ISO 27001 start with a small scope. Is that what happened here?
Yes. The telecoms provider wasn’t being mendacious, but was looking to start small, then gradually expand the scope.
Expanding the scope of your existing certification isn’t something you always want to do, by the way. If you have multiple clients, each with completely different sets of requirements, your auditors would have a headache trying to work out how many days the audit would take.
Plus, if you have just one ISO 27001 certification covering your entire organisation, any single finding that – God forbid – is a significant finding that prevents you from getting certified means you’ve lost all of it. Whereas if you had, say, 20 certifications, you’d just have to fix that 1 area – the other 19 are fine.
It spreads the impact [risk] of that type of situation.
What specific ISO 27001 controls [from Annex A] help secure your supply chain?
There are a few, starting with control 5.19: information security in supplier relationships. “Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.”
Control 5.20, addressing information security within supplier agreements, is also important. You need to know what the supplier is giving you – and not just in terms of products and services:
- What aspects of security are the supplier responsible for?
- What aspects are you responsible for?
Because, if you don’t know this, you can’t hold them liable when anything goes wrong. It’s part of doing your due diligence.
So, again, 5.20 is great for guiding your due diligence checks. It gives ideas on the questions to ask, or at least what you’re looking for, when you’re doing those checks. My book, ISO 27001 Controls, gives more guidance.
[We’ve included a book extract below.]
But everything connects to everything else, to a certain extent. So, you can’t treat the controls as totally independent from one another.
Bridget’s book: ISO 27001 Controls
This book covers each ISO 27001 control (from Annex A) in detail, giving guidance on two key areas for each control:
- Implementation – what to consider to fulfil the Standard’s requirements.
- Auditing – what to check for, and how, when examining the controls.
Ideal for information security managers, auditors, consultants and organisations preparing for ISO 27001:2022 certification, this book will help readers understand the requirements of an ISO 27001 ISMS (information security management system).
All our consultants have a copy of this book! Our head of GRC consultancy, Damian Garcia, described ISO 27001 Controls as “excellent” and a “great resource”.
The same level of security as that which applies to the organisation’s staff should be applied to supplier staff who are able to access the organisation’s physical or logical environments, including user IDs, passwords, data access controls, physical security, etc. What needs to be taken into account when developing the agreement that regulates supplier access is that the organisation does not have direct control of the supplier’s management, personnel controls, IT, and security policies and practices. The supplier may also have a different risk appetite and business practices. These differences should be identified and assessed as part of due diligence when determining whether to work with the other party.
The key document that needs to be in place before any sharing of information or access is a contract or an agreement. It should provide details on the facilities that each party will make available to the other, and the security controls to be put in place, as well as which entity is responsible for which security controls. Suppliers should not be given access to the organisation’s information and/or information processing facilities until the appropriate controls have been implemented.
The implementation guidance in ISO/IEC 27002, 5.20 provides a list of suggested items to put in place as required by the results of the risk assessment. The contract or agreement clauses may also specify conformance with ISO/IEC 27001, or even certification, again depending on the requirements. Ensure that the signatories on both sides are properly identified and authorised.
The security documentation should include copies of all relevant contracts or agreements, and possibly several additional documents describing specific elements of the relationship. It might be helpful to include security controls, policies and procedures in a security plan that can be given to the third party. Any deviation from these requirements should be justified and documented.
About Bridget Kenyon
Bridget is the CISO for SSCL. She’s also been on the ISO editing team for ISMS standards since 2006, and has served as lead editor for ISO/IEC 27001:2022 and ISO/IEC 27014:2020.
Bridget is also a member of the UK Advisory Council for (ISC)2, and a Fellow of the Chartered Institute of Information Security.
She’s also been a PCI DSS QSA (Qualified Security Assessor), been head of information security for UCL, and held operational and consultancy roles in both industry and academia.
We previously interviewed Bridget about how to address AI security risks with ISO 27001. For our sister company ITGP (IT Governance Publishing), we also interviewed her about the second edition of ISO 27001 Controls.
We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.
If you’d like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter.
Alternatively, explore our full index of interviews here.
We first published a version of this blog in June 2017.