What to do when your âsupply chainâ is really a âsupply loopâ
When I asked Bridget Kenyon â CISO (chief information security officer) for SSCL, lead editor for ISO 27001:2022 and author of ISO 27001 Controls â what sheâd like to cover in an interview, she suggested supply chain security.
I asked her whether she was thinking about the CrowdStrike incident (which happened just a few weeks prior).
Bridget responded: âNot specifically. To be honest, supply chain security has been a perennial problem.â
I sat down with her to find out more.
In this interview
Challenges of supply chain security
What makes supply chain security challenging?
Itâs a perennial problem for which thereâs very little solution, because everything is connected to everything else.
We call it a supply âchainâ, but thatâs almost a misnomer. Itâs more like a three-dimensional network. Everything you pull on moves something else. Not only that â it all connects back to itself. Itâs a supply loop rather than a supply chain.
A basic example is a cleaning company. It often uses Microsoft Excel to do its reference work, and Microsoft might use that cleaning company to clean its offices. So, they are each otherâs supplier.
But supply loops can get far more complicated.
How can you secure a âsupply loopâ?
If everything you do moves something else, then the only way you can do anything is together.
Think of it as taking a community-based approach. Thatâs probably why public entities tend to do better at this â they often have community-based values baked into their culture.
In short, itâs a case of âgive and takeâ â you donât want to be wrist-slapping people, but you also donât want to just take their word at face value.
Thatâs not so much because you think they might be lying. Organisations can sincerely believe theyâre telling the truth â they just havenât implemented something as well as they think.
Can you give us an example?
Suppose you ask a supplier whether it does patch management. It might say: âYes, we patch every Tuesday.â
OK, great. But does anyone check whether those patches were successfully applied?
Often, the answer is ânoâ. Organisations might not check whether their controls are doing the job theyâre meant to do. In the case of patching, they might not have checked that the patched systems have been restarted to ensure the patch takes effect, for example.
[Interviewer note: Damian Garcia, our head of GRC (governance, risk and compliance) consultancy, discusses this in more detail in this interview. Specifically, he explains how to monitor and review risks.]
Strategies for conducting due diligence
Whatâs the easiest way to establish whether thereâs a gap between what the organisation thinks itâs doing and what itâs actually doing?
External validation is an obvious one.
You can save yourself a lot of trouble by getting somebody else to validate the measures for you. You basically ask your supplier to prove itâs being sensible about security by showing its certificate.
Lots of options exist, from âbargain basementâ ones like Cyber Essentials and Cyber Essentials Plus, to standards like ISO 27001 and the PCI DSS [Payment Card Industry Data Security Standard].
What if your supplier doesnât have such certification?
You could get an independent third party to assess the supplierâs security measures. That puts this third partyâs reputation on the line, so you should be able to trust what they say. They can also advise on the level of maturity of your supplierâs security.
Alternatively â and a lot of organisations take this approach â you can ask your suppliers to complete a security questionnaire, and you make them liable for misrepresenting their position.
On top of that, when youâre reviewing the answers, read between the lines. You may want to take out organisations that select âyesâ for everything, because theyâre likely either lying, or they donât know the first thing about their own security.
What else can organisations do to check suppliersâ security?
Direct testing is another option.
Some places Iâve worked at conducted either annual penetration tests or monthly vulnerability scans on key suppliers.
On a different occasion, at a previous organisation, we were the supplier, and our customer had us audited once every one or two years. The trouble was that this customer allowed their auditor to pick their own criteria, which were completely arbitrary. And those criteria changed every time!
To put it mildly, this didnât lead to a harmonious relationship between us and our customer â because that auditor found something every time, as they kept moving the goalposts.
Worse, those criteria bore no relationship to any risk. The auditor simply used a list of âbest practicesâ, which they blindly applied. Theyâd say things like: âYou donât change your passwords every 30 days.â Well, no, because thatâd be stupid! Itâd serve no purpose as far as improving security goes.
In short, we didnât enjoy that experience.
How can organisations do their due diligence on their suppliers without aggravating them?
Make sure your tests or checks are done in a truthful way, with some kind of consistency within â and rationale for â the questions or criteria. This puts you in a strong position.
At the end of the day, security is about risk. Any checks and controls need to reflect that.
Finding this interview useful? To get notified of future
Q&As and other free resources like this, subscribe to
our free weekly newsletter: the Security Spotlight.
Securing your supply chain with ISO 27001
Coming back to certification, this does seem like the neatest solution. Should organisations be aware of any drawbacks?
An ISO 27001 certificate, or whatever, doesnât automatically cover an entire organisation. So, check that it accounts for the scope of services youâre looking to have delivered.
Itâs not uncommon for organisations to have included [metaphorically speaking] only a broom cupboard in their scope.
The first time a large, well-known telecoms provider got ISO 27001 certification, for example, the certification covered just one small call centre â a tiny part of the organisation. But the provider told everyone: âWe have ISO 27001 certification!â
In one of your older interviews, you recommended that organisations new to ISO 27001 start with a small scope. Is that what happened here?
Yes. The telecoms provider wasnât being mendacious, but was looking to start small, then gradually expand the scope.
Expanding the scope of your existing certification isnât something you always want to do, by the way. If you have multiple clients, each with completely different sets of requirements, your auditors would have a headache trying to work out how many days the audit would take.
Plus, if you have just one ISO 27001 certification covering your entire organisation, any single finding that â God forbid â is a significant finding that prevents you from getting certified means youâve lost all of it. Whereas if you had, say, 20 certifications, youâd just have to fix that 1 area â the other 19 are fine.
It spreads the impact [risk] of that type of situation.
What specific ISO 27001 controls [from Annex A] help secure your supply chain?
There are a few, starting with control 5.19: information security in supplier relationships. âProcesses and procedures shall be defined and implemented to manage the information security risks associated with the use of supplierâs products or services.â
Control 5.20, addressing information security within supplier agreements, is also important. You need to know what the supplier is giving you â and not just in terms of products and services:
- What aspects of security are the supplier responsible for?
- What aspects are you responsible for?
Because, if you donât know this, you canât hold them liable when anything goes wrong. Itâs part of doing your due diligence.
So, again, 5.20 is great for guiding your due diligence checks. It gives ideas on the questions to ask, or at least what youâre looking for, when youâre doing those checks. My book, ISO 27001 Controls, gives more guidance.
[Weâve included a book extract below.]
But everything connects to everything else, to a certain extent. So, you canât treat the controls as totally independent from one another.
Bridgetâs book: ISO 27001 Controls
This book covers each ISO 27001 control (from Annex A) in detail, giving guidance on two key areas for each control:
- Implementation â what to consider to fulfil the Standardâs requirements.
- Auditing â what to check for, and how, when examining the controls.
Ideal for information security managers, auditors, consultants and organisations preparing for ISO 27001:2022 certification, this book will help readers understand the requirements of an ISO 27001 ISMS (information security management system).
All our consultants have a copy of this book! Our head of GRC consultancy, Damian Garcia, described ISO 27001 Controls as âexcellentâ and a âgreat resourceâ.
The same level of security as that which applies to the organisationâs staff should be applied to supplier staff who are able to access the organisationâs physical or logical environments, including user IDs, passwords, data access controls, physical security, etc. What needs to be taken into account when developing the agreement that regulates supplier access is that the organisation does not have direct control of the supplierâs management, personnel controls, IT, and security policies and practices. The supplier may also have a different risk appetite and business practices. These differences should be identiïŹed and assessed as part of due diligence when determining whether to work with the other party.
The key document that needs to be in place before any sharing of information or access is a contract or an agreement. It should provide details on the facilities that each party will make available to the other, and the security controls to be put in place, as well as which entity is responsible for which security controls. Suppliers should not be given access to the organisationâs information and/or information processing facilities until the appropriate controls have been implemented.
The implementation guidance in ISO/IEC 27002, 5.20 provides a list of suggested items to put in place as required by the results of the risk assessment. The contract or agreement clauses may also specify conformance with ISO/IEC 27001, or even certiïŹcation, again depending on the requirements. Ensure that the signatories on both sides are properly identiïŹed and authorised.
The security documentation should include copies of all relevant contracts or agreements, and possibly several additional documents describing speciïŹc elements of the relationship. It might be helpful to include security controls, policies and procedures in a security plan that can be given to the third party. Any deviation from these requirements should be justiïŹed and documented.
About Bridget Kenyon
Bridget is the CISO for SSCL. Sheâs also been on the ISO editing team for ISMS standards since 2006, and has served as lead editor for ISO/IEC 27001:2022 and ISO/IEC 27014:2020.
Bridget is also a member of the UK Advisory Council for (ISC)2, and a Fellow of the Chartered Institute of Information Security.
Sheâs also been a PCI DSS QSA (Qualified Security Assessor), been head of information security for UCL, and held operational and consultancy roles in both industry and academia.
We previously interviewed Bridget about how to address AI security risks with ISO 27001. For our sister company ITGP (IT Governance Publishing), we also interviewed her about the second edition of ISO 27001 Controls.
We hope you enjoyed this edition of our âExpert Insightâ series. Weâll be back soon, chatting to another expert within GRC International Group.
If youâd like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter.
Alternatively, explore our full index of interviews here.
We first published a version of this blog in June 2017.
