With the release of ISO 27001:2013, users will be inundated with a multitude of new information, requirements, and terms related to the standard. One critical subject area likely not addressed much in any communication is supply chain management.
Supply chain management is a very critical aspect of a good Information Security Management System (ISMS). Far too few companies are giving it sufficient attention, or worse, companies are leaving it on the back burner and not recognizing it at all.
There is a growing concern about the continued increase in higher business environment volatility that continually makes the task of managing global supply chains tougher every day. Changes over the last few years in the social, political, technology, environment, and economic domains around the world, suggest that the business landscape and paradigm of supply-chain management has transformed permanently.
Uncertainty is the road block to flawless execution. We need global continuity.
ISO/IEC 27001 has requirements as under section A.15 Supplier Relationships that relate to “Information security in supplier relationships” and “Supplier service delivery management”. Additionally, there are requirements under section 4.2 regarding 4.2 “Understanding the needs and expectations of interested parties”. 3.02 of Directive 1 (guidance which all new standards are written against) defines interested parties as a stakeholder (admitted term) person or organization (3.01) that can affect, be affected by, or perceive themselves to be affected by a decision or activity.
Not implementing a supplier program to evaluate and develop the supply chain could be a costly oversight.
Consider the following released by the World Economic Forum:
Four key takeaways from the survey bring light to the task at hand:
It is undesirable for organizations to enforce their own approach to BCM down their supply chains. While a supplier can run different quality systems to meet the requirements of its customer base, it cannot run different, and possibly conflicting, BCM systems, which will be used during a disruption at a time when tensions are high. This was one of the principal drivers for establishing BCM standards in the UK.
A recent story published in the Wall Street Journal titled “Cybersecurity Due Diligence Key in M&A Deals” ((ENSIGN, R. L. (2014). Cybersecurity Due Diligence Key in M&A Deals. Wall Street Journal.
World Economic Forum Report, Global Risks 2012 – In collaboration with Marsh & McLennan Companies
Swiss Reinsurance Company, Wharton Center for Risk Management, University of Pennsylvania, Zurich Financial Services.
Marsh Survey, Stemming the Rising Tide of Supply Chain Risks–April 15, 2008))
brings to our attention one of the hidden risks that may not be considered during mergers and acquisitions. “Firms need to vet the cybersecurity defenses of those they do business with, a former top prosecutor said. “When you buy a company, you’re buying their data, and you could be buying their data-security problems.” (ENSIGN, 2014)
Businesses need to support and conduct supply chain vulnerability audits, formulate more detailed risk mitigation strategies, and transfer that analysis to actionable business continuity plans.
Shared Assessments Steering Committee member, John DiMaria, BSI Group America, Inc., is a BSI Certification Portfolio Expert, Six Sigma Black Belt, certified Holistic Information Security Practitioner (HISP), and Master HISP with over 28 years of successful experience in Management Systems and international standards. Connect with John on LinkedIn.
Notice: The statements within this article are the independent views and opinions of the author and not necessarily those of the management of BSI Group America, Inc.