Inverifi logo

ISO 27001 Controls: Supplier Relationships

There are key factors to consider when working with a supplier.

Securely exchanging data with third parties

Most organisations handling sensitive data will find themselves sharing this data with other organisations, for various reasons.

 

At Inverifi, and our sister companies, we host our apps on AWS. We place our customers’ data in the hands of Amazon.

 

When you share data with another organisation, there are always risks involved. How a supplier chooses to handle your data, is ultimately out of your control.

 

Unfortunately, there’s nothing you can do to completely eliminate this risk. However, there are measures you can take to minimise it.

 

Such measures are required by ISO 27001 annex A.15.

Information Security Policies

If you are working with a smaller supplier, you might choose to send them any of your information security policies, relevant to the data they’ll be handling.

 

The supplier will then read those policies and ensure that they follow them while doing business with you.

 

Inverifi simplifies this process, by allowing you to invite users from external organisations to view your documents securely.

Privacy Policies

Alternatively, if the supplier you have in mind operates at a large scale and can’t adjust its service to meet your exact requirements, you can read their privacy policy instead.

 

Most companies in most countries are required to have a privacy policy.

 

A privacy policy documents how a supplier will handle your data. It will also include contact details, allowing you to ask them specific questions, possibly not covered by the privacy policy.

 

When you read a privacy policy, you will be able to determine whether the supplier’s data handling procedures are acceptable, in line with your own information security policies.

Security Certifications

Another potentially important factor in determining whether you trust a particular supplier with your data, is whether they have any certifications which assure you that they handle data securely.

 

One of the reasons we use AWS is because, like us, they are ISO 27001-compliant. We know AWS has been audited, and we know how thorough audits for this particular standard can be.

 

If you’re considering a supplier with an ISO 27001 certification, you can rest assured that they have processes they follow, consistently, to ensure that your data is handled securely.

Final Thoughts

As I mentioned at the start of this blog entry, there are always risks associated with placing your data in the hands of another organisation. These risks must be considered.

 

Once again, there is nothing you can do to completely eliminate the risks.

 

For this reason, we strongly recommend considering the measures explained above, whenever you decide whether to trust another organisation with your data.

More blogs you might like