With the release of ISO 27001:2013, users will be inundated with a multitude of new information, requirements, and terms related to the standard. One critical subject area likely not addressed much in any communication is supply chain management.
Supply chain management is a very critical aspect of a good Information Security Management System (ISMS). Far too few companies are giving it sufficient attention, or worse, companies are leaving it on the back burner and not recognizing it at all.
There is a growing concern about the continued increase in higher business environment volatility that continually makes the task of managing global supply chains tougher every day. Changes over the last few years in the social, political, technology, environment, and economic domains around the world, suggest that the business landscape and paradigm of supply-chain management has transformed permanently.
Uncertainty is the road block to flawless execution. We need global continuity.
ISO/IEC 27001 has requirements as under section A.15 Supplier Relationships that relate to “Information security in supplier relationships” and “Supplier service delivery management”. Additionally, there are requirements under section 4.2 regarding 4.2 “Understanding the needs and expectations of interested parties”. 3.02 of Directive 1 (guidance which all new standards are written against) defines interested parties as a stakeholder (admitted term) person or organization (3.01) that can affect, be affected by, or perceive themselves to be affected by a decision or activity.
Not implementing a supplier program to evaluate and develop the supply chain could be a costly oversight.
Consider the following released by the World Economic Forum:
- The study showed that more than 90% of industry experts surveyed believe that supply chain and transport risk management are greater priorities in their companies today than five years ago. According to that same study, natural disasters were the cause of 59% of uncontrollable supply chain disruptions. Yet amazingly, 46% of disruptions that are considered to be influenced by outside forces came from conflict and political unrest.
- Nearly three-quarters of risk managers say their companies’ supply chain risk levels have continued to increase since 2005. This is according to Marsh’s survey of 110 risk managers, conducted in cooperation with Risk & Insurance magazine. Not only has risk gone up, but 71% report that the financial impact of supply chain disruptions has also increased—damaging bottom lines, customer retention, and brand equity. Perhaps most concerning, not a single respondent said that their company is highly effective at supply chain risk management today, and just 35% said they were moderately effective.
Four key takeaways from the survey bring light to the task at hand:
- Create a cross-functional supply chain risk team that looks end-to-end.
- Embed risk management activities and responsibilities into existing supply chain processes and functions; create consistency across the organization.
- Build up analytics and risk metrics.
- Extend the risk manager role.
It is undesirable for organizations to enforce their own approach to BCM down their supply chains. While a supplier can run different quality systems to meet the requirements of its customer base, it cannot run different, and possibly conflicting, BCM systems, which will be used during a disruption at a time when tensions are high. This was one of the principal drivers for establishing BCM standards in the UK.
A recent story published in the Wall Street Journal titled “Cybersecurity Due Diligence Key in M&A Deals” ((ENSIGN, R. L. (2014). Cybersecurity Due Diligence Key in M&A Deals. Wall Street Journal.
World Economic Forum Report, Global Risks 2012 – In collaboration with Marsh & McLennan Companies
Swiss Reinsurance Company, Wharton Center for Risk Management, University of Pennsylvania, Zurich Financial Services.
Marsh Survey, Stemming the Rising Tide of Supply Chain Risks–April 15, 2008))
brings to our attention one of the hidden risks that may not be considered during mergers and acquisitions. “Firms need to vet the cybersecurity defenses of those they do business with, a former top prosecutor said. “When you buy a company, you’re buying their data, and you could be buying their data-security problems.” (ENSIGN, 2014)
Businesses need to support and conduct supply chain vulnerability audits, formulate more detailed risk mitigation strategies, and transfer that analysis to actionable business continuity plans.
Shared Assessments Steering Committee member, John DiMaria, BSI Group America, Inc., is a BSI Certification Portfolio Expert, Six Sigma Black Belt, certified Holistic Information Security Practitioner (HISP), and Master HISP with over 28 years of successful experience in Management Systems and international standards. Connect with John on LinkedIn.
Notice: The statements within this article are the independent views and opinions of the author and not necessarily those of the management of BSI Group America, Inc.