BCMS5: Vendor Management - Don’t Forget to Confirm Business Priority of Your Vendors
Vendor Management (Third Party Management or Supplier Management) is a popular topic in the information security world these days. Security in leading companies has been little by little but certainly improved over the decades. Now the interests of the attackers who target these companies are shifting to the supply chain. In small and medium-sized companies, even those who provide services and products to large companies, the security is not always matured, mainly due to lack of resources, leading to potential risks.
In the Business Continuity Management (BCM), vendor management has been recognized as a key topic since the early days. You can imagine that with a manufacturing company in a natural disaster; a manufacturing company cannot recover the production without material supply. The same is true of the other types of business continuity incidents such as security incidents. The importance of the Vendor Management is being re-highlighted in the BCM as it has become a trend in information security.
However, I would say the approach used for security Vendor Management may not yet be appropriate for the BCM. One of the common approaches of security Vendor Management is assessment. Either by a questionnaire or an audit interview, leading companies started checking their vendors’ security level against criteria developed based on common security frameworks. If you would do the same for BCM and develop an assessment based on a common framework such as ISO22301, it would not be enough to ensure the vendor’s capability.
One of the important concepts of the BCM is business prioritization. Resources in an organization are limited, therefore you must first pick up critical areas to dedicate the resources to prepare and respond to a business continuity incident. Hence even though the vendor has a good BCM system, the continuity of the services/products you receive is not assured if the vendor does not consider the business processes behind it to be critical. You need to confirm business priorities of the vendor in addition to the maturity of its BCM system.
In vendor security management, you may be able to skip an assessment if the vendor has a common security certification such as ISO 27001. Because the certification guarantees that the organization has a good ISMS (Information Security Management System). However, BCM certification such as ISO 22301 is not enough to skip an assessment program. You must check the vendor’s priorities in addition to the maturity level of its BCM system that can be assessed with a common BCM framework.
Reference
ISO 22301:2019(en) Security and resilience — Business continuity management systems. (as of 16 Apr 2020, some ISO (International Organization for Standardization) standards including
ISO 22301:2019 are freely accessible to support global efforts in dealing with the COVID-19 crisis)
ISO 31000:2018 Risk management – Guidelines.