This week, I spoke with a new client who told me all about how they are looking forward to addressing a number of internal issues surrounding their IT systems. They explained that over the last 12 months, they repeatedly had issues of delays in service and outages, which had affected their business.

Discussing this further, I explored their relationship with the supplier and asked what due diligence they had performed prior to working with them. Their response was quite typical and also quite worrying.

“Well, we’ve used them since we first started the business a couple of years ago, so we’ve kinda grown up together.”

I fully support the idea that we shouldn’t change for change’s sake, but we also need to get closer to our suppliers, especially when these suppliers provide such critical services.

Knowing you, knowing me.

One of the key components of ISO27001 has always been that supplier relationships are considered and managed effectively. In the new Annex A, controls for ISO27002:2022 have also been expanded to incorporate new requirements. ISO27001:2022 therefore requires;

  • Information security in supplier relationships.
  • Addressing information security within supplier agreements.
  • Managing information security in the ICT supply chain.
  • Monitoring, review and change management of supplier services.

Recognising that Cloud has now become a major supplier for many organisations, the standard now includes a new requirement for “Information Security for the use of Cloud Services” (A5.23).

If the payment card standard, PCI DSS is more of a concern for you, then you should know that the tenth requirement of the standard requires that you “Log and monitor all access to system components and cardholder data”. This means more than monitoring your own access to network resources and cardholder data.

I often ask to see the service agreements for organisations who hold a (Read more...)