Assessing upstream supply chain information risks

Yesterday, someone sought guidance from the ISO27k Forum on categorising vendors by risk. Here's my coffee-fueled early-morning response, lightly edited for this blog.

Risk assessment criteria

In the context of an ISO 27001 Information Security Management System, information risk in the upstream supply chain/network, viewed from the customer organisation's business perspective, is the primary concern in relation to vendors. 

Breaking that down, the kinds of factors that may affect the information risk levels include:

1. Nature of products (by which I mean both goods and services) procured - particularly the information, intellectual property or technology content e.g. the information risks are markedly different when procuring professional services such as consulting, engineering/design, cloud, HR, legal or accounting services as opposed to buying, say, paper clips, fuel or other commodity items;
   
   
2. Volume and value of products procured annually from each supplier, which influences business decisions about whether it is even economic to analyse, let alone treat the associated information risks;
   
   
3. Significance or criticality of the products to the customer's business generally, and to its information security requirements specifically e.g. professional services in general are likely to affect the customer's information security, compliance etc., especially so in the case of pro services relating directly to information security such as security consulting and auditing; information risk is a bigger factor in the procurement of products relating to sensitive military, government, financial, information, technological or security products, than to the manufacture of widgets;
   
   
4. Significance of the specific suppliers to the customer's business e.g. are there numerous alternative possible suppliers in the market, or is the customer locked-in to a particular supplier? Would it be straightforward to change supplier if issues arose, or would it be difficult, costly, slow and risky?;
   
   
5. Significance of the customer to the supplier's business e.g. even if the customer was suffering due to a supplier's information security incident (perhaps further upstream), would the supplier even notice let alone care?;
   
   
6. Potential for information security issues within products to cause business issues for the customer or further downstream along the supply chain;
   
   
7. Potential for serious information security incidents affecting suppliers' capability to deliver products of the required quality, on time, at the contracted price etc.;
   
   
8. Formality of the business relationships e.g. are products specified in great detail in legally binding contracts or covered loosely/vaguely by convention or understandings?;
   
   
9. Closeness of the business relationships, trust levels, dependability and openness e.g. do suppliers usually give early notice of possible supply issues or do bad things happen 'out of the blue'? Are the supplier's and customer's interests well-aligned and mutually supportive (win-win), or is the relationship adversarial and difficult (win-lose)?;
   
   
10. History of incidents/issues experienced in the supply: how many incidents have occurred, and how significant were the consequences? How confident is the customer that they even know about relevant upstream issues, concerns, events or incidents? How realistic and certain is that assessment?;
    
    
11. Forward projection of likely/possible supply incidents: are suppliers reasonably stable, consistent, doing well and clearly investing in information security (perhaps being ISO/IEC 27001-certified) or are they struggling, barely keeping afloat, slapdash and likely to cut corners including information security?;
    
    
12. Comparative risk relative to other suppliers, and other kinds of risk e.g. it is probably even more important for the customer to be assured of its basic information security management arrangements and sound internal controls, than to obsess about obscure/vague risks distributed among a diverse supply base;
    
    
13. Controls such as contracts, strategies, policies, relationship management, resilience (e.g. stock levels, alternative sources), planning and contingency arrangements, plus various forms of assurance (e.g. audits, reviews, conformity or quality control checks, oversight/monitoring, metrics and reporting ...) - which rely on and affect the nature, quality and trustworthiness of information passing between or available to each party about the other (e.g. visibility: the customer is more likely to discover issues/concerns with a regular, open, trusted first-tier supplier than with the second or third tiers such as the supplier's suppliers, subcontractors, business associates and temporary staff);
    
    
14. Broader factors including global, political, market and technological concerns e.g. how likely is it that spooks may have penetrated, hacked, infiltrated or coerced the upstream supply chain as a way to compromise the customer or those further downstream? Have the risks materially changed as a result of competition, political/economic tensions or war?;
    
    
15. Opportunities e.g. it may make good business sense to give certain suppliers more latitude and less intense scrutiny for strategic or other reasons e.g. in order to focus more attention on other more concerning/troublesome suppliers at this time;
    
    
16. "Other relevant factors" - a catch-all generic criterion or fudge-factor that allows those reviewing and categorising suppliers, and/or management, to take account of matters that aren't necessarily covered in the preceding points (e.g. if the Procurement person assessing a given supplier lacks experience in this area, or has a particularly rose-tinted or cynical view of things, or maybe is suspected of collusion/fraud with a supplier casting doubt on their assessment!).

Vendor risk assessment challenges

There are clearly numerous challenges in all of the above - which is itself a concern. The assessment factors I've identified above are generally subjective, very difficult to substantiate or prove and tricky even to measure consistently - especially if assessments are performed under pressure by several individuals of varying competence. There are lots of factors potentially worth considering, and a large/complex organisation is likely to have a large/complex supply chain/network to assess. 

 There are dynamics too: immature or innovative organisations perhaps entering new markets, creating novel products or proactively reconsidering their supply base for some reason (e.g. under pressure from regulators) are likely to find this harder than those that are stable, mature and settled. 

At the end of the day, this comes down to business decisions relating to the acceptability of the residual risks, the value of the risk assessments and assurance, and the anticipated costs of further assessments and controls. In other words, supply chain challenges are overcome by management decisions relating to strategies, tactics, policies and procedures, assurance measures required and so forth.

Conclusion

In the information security realm, a simplistic yet pragmatic approach is to focus on assessing the top N riskiest supplies, where:

• 'Riskiest' is determined by procurement, risk and security professionals, typically following on from prior assessments or purely subjective experience-based opinions and assumptions as a starting point;
  
  
• In my experience, 'N' is determined by senior management according to the resources they are willing to invest in this area, which reflects their perception of the risks and opportunities relative to other investments and, of course, the resources available to invest;
  
  
• The depth, frequency and nature of the risk assessments is something for the assessors to decide under direction/guidance from management ... perhaps concocting a cunning scheme along these lines:

Hinson tip

Prepare policies, procedures and metrics to stabilise the vendor risk assessment process and facilitate continuous improvement/maturity. Learn by studying, thinking and doing!

PS I suspect that information risks relating to the procurement, delivery and management of professional services represent a significant, widespread blind-spot. For more on the risks and mitigating controls, see this free guideline or get in touch.