Annex A.11 – Physical and environmental security (15 controls).
Annex A.9 – Access control (14 controls).Annex A.8 – Asset management (10 controls).Annex A.7 – Human resource security (6 controls).Annex A.6 – Organization of information security (7 controls).Annex A.5 – Information security policies (2 controls).These controls address all of the commonly exploited attack surface regions in the supply chain. ISO 27002 supports the implementation of all the security controls listed in Annex A of ISO 27001. ISO 27001 uses a risk management approach to systematically secure sensitive data across the three primary departments of an organization - IT systems, people, and processes.įor an overview of the ISO 27001 implementation process, refer to this checklist. ISO 27001 is the most popular internationally recognized standard for improving the information security of all IT systems and data processes, including those required in third-party vendor relationships. Which ISO Standards Apply to Third-Party Risk Management?Įstablishing the most resilient TPRM program with ISO standards requires the augmentation of three specific frameworks - ISO 27001, ISO 27002, and ISO 27018.Įach standard's specific relation to third-party security is summarized below.
DISSIDIA ISO PARTY HOW TO
In this post, we highlight the specific ISO controls that apply to Third-Party Risk management and how to map them to features within the UpGuard platform. However, many organizations struggle with identifying which security controls apply to vendor security and how to successfully map them to a Vendor Risk Management platform. ISO 27001 can also be implemented into a Third-Party Risk Management program. Its creation was a joint effort between the International Organization for Standardization (ISO), and the International Electrotechnical Commission (IEC) - this is why the framework is also referred to as ISO/IEC 27001.
ISO 27001 is the most popular internationally recognized standard for managing information security.