ISO/IEC 27001:2013: What Vendor Risk Managers Need to Know

ISO/IEC 27001 2013: What Vendor Risk Managers Need to Know

Recent headlines scream the news that information security spe-
cialists and vendor risk managers don’t want to hear:
“50 million users impacted by LivingSocial data
breach.”
systems. In other words, ISO 27001 certification is the best line of
defense in maximizing data security. Adoption of and compliance
to the standard shows that organizations—whether they are parent
companies, vendors, suppliers, or government entities—are serious
about protecting the sensitive information entrusted to them.

“Part-time employee of defense contractor accesses

and leaks trove of top-secret government security in-
formation.”

“Hackers utilize vendor credentials to steal personal

information of 70 million customers of retail giant.”

As more personal, financial, and operational data is stored dig-

itally, the potential for massive information security breakdowns
has multiplied. In the late 2013 case of a major retailer, what
was originally believed to be a payment card breach during the
holiday season that affected 40 million customers was eventually
discovered to be a much larger breach involving the company’s
internal systems and 70 million more customers. Subsequently, and
perhaps not surprisingly, the organization announced a significant
drop in 2013 Q4 earnings.

With even more sensitive information being stored digitally, and

Established in 2005, ISO 27001 had not undergone a major
with more spectacularly damaging data breaches plaguing com-
revision until 2013. Organizations are understandably interested
panies, the requirements and security controls set forth in ISO/
in what the revision means for them and their vendors. This e-book
IEC 27001—better known as the ISO 27001 or the IS27001—
will answer why the update was necessary, what major changes
take on added importance. When followed, ISO 27001provides
occurred with the revision, and how ISO 27001:2013 impacts
comprehensive guidelines for establishing, implementing, monitor-
organizations, suppliers, and risk managers.
ing, reviewing, maintaining, and improving information security

Why the Update?

First published in October 2005, the original ISO 27001 was the internationalized version of British Standard 7799-2, which was the
original specification of an information security management system (ISMS) that had gained significant worldwide recognition.

As forward-thinking as the 2005 version of the ISO 27001 was, it had one unavoidable drawback: time. Digital environments have
changed so much over the past eight years that some degree of obsolescence was inevitable. The iPhone didn’t debut until 2007, the
Android in 2008, the iPad in 2010. These devices are so prevalent today that many people forget that they are relatively recent innova-
tions. Cloud computing was still in its relative infancy as well. Furthermore, in 2005, Wi-Fi was almost a novelty; today, you can connect
wirelessly in almost every coffee shop, commuter train, school campus, and airport. The proliferation of portable technology, coupled with
the ability to wire in just about any place, has given rise to the bring-your-own-device (BYOD) phenomenon, in which employees more
frequently are using personal devices to perform company business.

Another development in the past eight years is how companies collect data and who has access to that information. Websites increasingly

Evantix is a third-party risk management company based in Newport Beach, CA. 1

© 2014, Evantix GRC, LLC. 20341 Birch St. Suite 220, Newport Beach, CA 92660
ISO/IEC 27001:2013: What Vendor Risk Managers Need to Know

require some sort of registration to view content or make a purchase; employee and customer information is now widely and securely
available online. Furthermore, organizations are turning to third parties to collect, store, and manage this data.

Not surprisingly, these technological advances and information-gathering practices have resulted in new, more elaborate threats designed
to steal this data. Cyberattacks have grown more sophisticated in order to keep up with continually changing digital environments. Take the
previously mentioned example of the retail giant’s data breach. Eight years ago, the mere fact a company could store 110 million customer
records, much less those records could be stolen, seemed unthinkable. Yet, incidents of this magnitude are not only possible, but also are
resulting in disastrous consequences. The information security threats that these advances produced have moved the risk management and
security control context beyond that originally captured by the original ISO 27001, hence its need for revision.

ISO 27001:2013 provides an updated management system blueprint with a substantially revised and updated set of security controls (in
its Annex A) that enable organizations to comprehensively compare how they select controls for, operate, and maintain an ISMS in the
current digital and organizational universe.

The Update’s Major Components

Besides the technological advances over the past eight years, the
ISO 27001:2013 editorial team also took into account user ex-
periences in coming up with the new standard. The update was
designed to make the management process more streamlined, as
well as to ease the transition for organizations already certified
for the original 27001. Among the various changes, here are six
notable components of the update:
Planning, Risk Assessment, and Control
Selection
Although risk assessment was a central part of ISO 27001:2005,
the revised standard places greater emphasis on planning, which
takes greater account of the context of the organization and the
needs and expectations of interested parties, as well as the per-
formance of information security risk assessments in that planning
context. Planning also receives greater emphasis in dealing with
the operation and control of the ISMS. Another significant change
is that, rather than risk assessment carrying negative connotations
of being necessary to combat risks per se, the revised IS27001
encourages risk assessment as a tool to consider opportunities and
manage the inherent risk in pursuing them.

From the risk assessment comes control selection, and ISO

27001:2013 greatly clarifies that the use of Annex A controls is
optional rather than mandatory, although the reference to Annex A
is still required as a “sanity check.”

New Security Controls

Revision has also substantially affected the content of Annex A of
ISO 27001:2013, which updates existing and introduces new
security controls to address emerging threats. The new version ac-

Integrated Management Systems tually streamlines these controls, with only 113 as compared with
133 in the previous ISO (though the number of control groups has
ISO 27001:2013 is written so it also can be adapted to the
increased from 11 to 14, and some controls are now located in
high-level structure used in other ISO management standards, in-
different control groups). These updates include changes to:
cluding ISO 9000, ISO 14000 and ISO/IEC 20000-1. This
modification will permit easier integration of ISMS into existing Project management
(and multiple) management systems. As a result, though the princi-
ples embodied in the new ISO 27001 are similar to those in the Secure development policy
old, the structure is substantially different, and someone familiar with
Secure system engineering principles
the previous version will not feel immediately “at home” with the new.

Evantix is a third-party risk management company based in Newport Beach, CA. 2

© 2014, Evantix GRC, LLC. 20341 Birch St. Suite 220, Newport Beach, CA 92660
ISO/IEC 27001:2013: What Vendor Risk Managers Need to Know

Development environment security instead requiring that all of its requirements be in place. The remov-
al of PDCA also allows organizations greater flexibility in how they
System security testing
design and operate their ISMS and select controls—so long as they
Assessment of and decision on information security are meeting all the requirements of the standard.
events
Risk Ownership
Availability of information processing facilities The term “asset owner” was an integral part of ISO 27001:2005.
This term referenced the assets, threats, and vulnerabilities that
Outsourcing
needed to be identified to adhere to the standard. In the new iter-
The trend of outsourcing information gathering, storage, and secu-
ation of ISO 27001, asset ownership is replaced with “risk owner-
rity was already picking up steam when the first iteration of ISO
ship”; this term implies a greater level of responsibility in address-
27001 was introduced in 2005. This contracting of IT to third
ing and mitigating risks. The terminology change also provides
parties is now even more prevalent than it was a decade ago,
companies more flexibility to create their own risk management
and today’s organizations are understandably concerned with how
processes, but calls for added leadership to ensure those goals are
their data is being managed and protected outside of their own
achieved and maintained.
systems. ISO 27001:2013 recognizes this and added a section
devoted to outsourcing, thus providing additional guidance to com- Interested Parties
panies that entrust their IT to third-party vendors. Another language change with the new 27001 is that “stakehold-
ers” are now referred to as “interested parties.” Though on the sur-
Simplified Process Model
face, this may seem semantic, the revision does carry vendor risk
The original 27001 emphasized Plan-Do-Check-Act (PDCA), a
implications. With this change, organizations must now determine
four-step method to managing processes—in this application, in-
and ensure that relevant third-party entities are addressing informa-
formation security management processes. ISO 27001:2013 no
tion security risks associated with information and communications
longer makes reference to the PDCA model, largely because it
technology services. Though this might be standard operating pro-
implies too much rigidity in the ordering of steps. The update does
cedure for some 27001-compliant companies; for others, it will
not demand that steps be conducted in the order they are defined,
require a greater focus on vendor risk management.

How This Impacts Vendors

ISO 27001 is an essential and comprehensive blueprint to establishing and maintaining an information security management system. How-
ever, the standard isn’t mandated by any governmental authority, and compliance (and subsequent certification) is entirely optional—a fact
that vendors and suppliers might or might not realize. Vendors not taking care of IT entrusted to them can be a weak link in a company’s
security profile. While a vendor data breach can lead to serious consequences for the parent company, it can be absolutely devastating
for the vendor itself. Vendors can lose customers quickly if they are
thought to be unreliable. Therefore, they will find it in their best in-
Vendors not taking care of IT entrusted
terests to take information risk seriously—their future success, or fail-
to them can be a weak link in a
ure, can depend upon it. Among the steps they can take include:
company’s security profile.
Become familiar with the changes: While a vendor data breach can lead to
Smaller vendors may not be aware that an update to the ISO serious consequences for the parent
27001 even occurred. Larger ones may think the new iteration company, it can be absolutely
doesn’t apply to them, that it’s the parent company’s concern and
devastating for the vendor itself.
not theirs. If a company conforms to 27001, almost certainly, any
vendor it does business with will feel the effects of the update, es-
pecially when the company is formally certified. Vendors can’t simply bury their heads in the sand and hope the new version goes away
or that their customers will do all the work for them. They must be diligent in familiarizing themselves with the changes to the standard and
how those changes will impact them.

Evantix is a third-party risk management company based in Newport Beach, CA. 3

© 2014, Evantix GRC, LLC. 20341 Birch St. Suite 220, Newport Beach, CA 92660
ISO/IEC 27001:2013: What Vendor Risk Managers Need to Know

Take the new assessments seriously:

As part of the risk management process, companies will send ISO 27001 risk assessments to key vendors. With these companies adjusting
to the new iteration, the screening will inevitably change as well. If a vendor hasn’t put forth a total effort on risk assessment questionnaires
in the past, it definitely shouldn’t blow off the next few that may now reflect ISO 27001:2013. IT managers can learn much from the new
screenings that will help as they maintain customer data in the years to come.

Identify potential risks:

Planning for and conducting risk assessments is a central part of ISO 27001’s requirements. Vendors should take advantage of the flexibil-
ity ISO 27001:2013 offers to identify and mitigate the risks posed to their own enterprises and to the data entrusted to them.

How This Impacts Risk Managers

Many organizations that were compliant with the previous ISO 27001 standard will strive for certification with the 2013 update (and
with its added flexibility and greater integration with other management processes, they perhaps may even welcome it—at least once the
transition is complete). They will get some time, too: Currently certified companies have until September 2015 or until their existing certi-
fication runs out to upgrade. New certifications performed after September 2014 must be against ISO 27001:2013. Inevitably, vendor
risk managers will have their hands full adjusting to the new standard and ensuring their vendors are on board. Some of the challenges
risk managers will face include:

Discovering what processes work best:

As previously mentioned, ISO 270001:2013 allows for more flex-
ibility in determining what processes and procedures work best for
a particular company. Risk managers may find their vendors using
a variety of methods in achieving compliance with the standard.
Though this may be a great help to the vendors, risk managers
could find themselves scrambling to keep track of all the differ-
ent processes. Companies may need to insist their vendors follow
some uniform IT guidelines simply to make risk management more
standard and less chaotic.

Risk measurement and reporting:

The new 27001 places a major emphasis on metrics, performance
monitoring, and setting objectives in order to measure and report
risk. Tracking the effectiveness of information security will help
identify possible issues before they become potential disasters, but
installing and maintaining these metrics can be a challenge for ven-
dors, as well as for the risk managers who must ensure that those
vendors are following these stricter guidelines.

Emerging and future threats:

Just as companies and vendors must identify and react to current
and future risk, risk managers must stay current with the threats that
can strike the data entrusted to vendors. The revised set of security
controls in Annex A acts as a valuable reference source for per-
forming risk assessments. Many risk staffs already are ahead of the
curve on this emphasis, greatly reducing the chance they will be
caught off guard by an emerging threat.

Evantix is a third-party risk management company based in Newport Beach, CA. 4

© 2014, Evantix GRC, LLC. 20341 Birch St. Suite 220, Newport Beach, CA 92660
ISO/IEC 27001:2013: What Vendor Risk Managers Need to Know

Keeping a closer watch on vendors:

The added flexibility provided by the new 27001 might prove to
be a great asset for IT vendors. However, it also can be a potential
liability—without some of the specific, strict controls, they might
take the path of least resistance to achieve compliance. Vendor risk
managers must ensure that their key IT suppliers are satisfactorily
complying with the guidelines the company has mandated. This
may require additional assessments and more thorough vendor risk
management.

What Risk Managers Can Do

The update may seem intimidating, but many experts don’t think the changeover will be too difficult or time-consuming for organizations
already following information security best practices. Here are seven steps vendor risk managers can take to make the upgrade easier:

Don’t wait:
Your company may have until as late as September 2015 to achieve compliance with the new version. That’s a long timeframe, and putting
off the update might be tempting. But for this endeavor, procrastination isn’t wise. First, you don’t want to be scrambling at the last minute
to achieve certification if that is your ultimate goal (which it should be). Second, while you wait, the threats that the new 27001 are meant
to address are still out there, poised to become a problem. The upgrade doesn’t need to occur all at once, but a gradual process will
make it all the less stressful. And if a company is taking its time, risk management staffs can always be proactive with vendors so that they
are on board once the parent organization is compliant.

List all interested parties:

Interested parties refers to persons and entities that can influence or be influenced by information security, in the context of the organization
in question. Many organizations already follow this step, but another pass through the list—particularly because more people and vendors
may now be considered an interested party (and a potential threat vector) under the new controls—can be beneficial.

Identify what’s working:

The increased flexibility to use whatever processes that work best to achieve ISO 27001 compliance can be a great benefit for vendor
risk management efforts. The key is identifying those processes, emphasizing the successful ones, modifying those that are less successful,
and replacing any that are inefficient. For example, some vendors are quite proficient with PDCA, so encouraging them to continue with
it may produce the best results.

Adjust screening schedules:

Regular risk assessments for IT vendors are crucial to ensure they are in compliance and your valuable data is secure. With the update, a
short- to moderate-term increase in the frequency of screenings may help the transition to the new standard for both company and vendor.

Work with your vendors:

Vendor risk management doesn’t end when the assessment is completed. Companies and their IT vendors should be partners in achieving
and maintaining compliance and security, working together to achieve their respective goals. And with this update, both sides will need
cooperation in order to successfully reach the new standards.

Evantix is a third-party risk management company based in Newport Beach, CA. 5

© 2014, Evantix GRC, LLC. 20341 Birch St. Suite 220, Newport Beach, CA 92660
ISO/IEC 27001:2013: What Vendor Risk Managers Need to Know

Use an automated solution:

Vendor risk management software can turn what may seem like a daunting task into an efficient, thorough process that allows risk staffs to
focus on management and analysis rather than hours of busy work. ISO 27001:2013 assessments are no exception. As the new standard
gains wider acceptance, risk screenings must be updated to reflect the changes as well as any future threats that emerge. The greater
flexibility of this iteration also means assessments should be tailored to fit the needs of both company and vendor. An automated solution
can achieve these goals in a fraction of the time taken by traditional spreadsheet-based assessments, can reduce the possibility of human
error, and can provide a streamlined audit trail to more efficiently track the entire process.

Delegate responsibilities:
The new ISO 27001, much like the old one, has many moving parts. Several different individuals across multiple departments may be
charged with helping to achieve compliance. The inclusion of all these components underscores the importance of delegating who is re-
sponsible for what, especially as companies and their vendors transition to the updated 27001. Automated screenings already do a good
job of delegation by ensuring that the correct people are answering the parts of assessments most applicable to their responsibilities. Risk
staffs and IT departments can go a step further by assigning a specialist or a team of specialists to handle the transition to the update, as
well as encouraging vendors to take similar steps.

The Evantix Solution

As technology and business processes evolve, the importance of information security also increases. ISO 27001:2013 is the latest step in
keeping data safe and in helping protect your company’s bottom line. Ensuring that IT vendors are appropriately managing their informa-
tion security responsibilities is also crucial. With the right plan and the right solution, assessing and managing vendor IT risk becomes less
of a chore and more of a proactive initiative that helps your organization grow. Evantix can provide the plan and the solution.

Evantix Risk Manager streamlines the vendor risk assessment process, eliminates the spreadsheets that bog down your compliance efforts,
and frees you and your staff to do what you do best—analyze and manage risk with the third parties that require the most guidance.

Features of our solution include:

A SaaS platform: With our cloud-based solution, Easy user interface: Besides the risk score, data
there is no software to install on your servers, no compiled from Evantix risk assessments are present-
compatibility issues with individual computers and ed in a user-friendly dashboard view, saving you the
devices, and no extra files going back and forth be- hassle of digging through spreadsheets to find the
tween your company and your vendors. This online information you require.
approach hastens the setup and assessment process,
Customizable assessments: Our platform easily
thus delivering the data you need in a fraction of the
adapts to your needs and to the needs of your ven-
time the traditional spreadsheet method does.
dors.
Risk scoring: Similar to the FICO scoring system that
More assessments for more vendors: Because the
banks use to quickly judge a person’s credit-wor-
Evantix solution automates the assessment process,
thiness, Evantix employs a risk score, based on a
you save time by not laboriously sifting through
1,000-point scale, that can give risk managers an
spreadsheets. With this extra time, you can effec-
instant view of a vendor’s risk profile. The higher the
tively assess, analyze, and manage more vendors,
score, the higher the potential risk. These scores save
thus increasing the possibility of identifying third par-
time as you analyze and easily rank the risk of hun-
ties—including ones that might not have even been
dreds of vendors, and they are customizable to fit
assessed before—that may present significant risk to
your company’s needs.
your company.

Evantix is a third-party risk management company based in Newport Beach, CA. 6

© 2014, Evantix GRC, LLC. 20341 Birch St. Suite 220, Newport Beach, CA 92660
ISO/IEC 27001:2013: What Vendor Risk Managers Need to Know

Advanced auditing: Our solution delegates and
tracks who at a vendor is responding to the assess-
ment. Suppliers appreciate this approach because it
doesn’t expose details of one department to anoth-
er department that doesn’t need to know that infor-
mation. You will appreciate this approach because
assessments are completed quicker and with more
accuracy.
On-demand risk reports: When a vendor risk as-
sessment is completed with the Evantix platform, it
is saved and aggregated in our database. If your
company needs a risk report quickly without the
benefit of a thorough assessment, we can provide
that within hours of your request.

Powerful delegation: Powerful delegation tools

enable vendor risk managers to quickly delegation
portions of the assessment to those individuals best
qualified to complete them, resulting in faster assess-
ment complete times, more accurate responses and
vendors who are more happy to oblige.

Evantix is a pioneer in the automated vendor risk management field. Clients such as eBay, McGraw Hill, PayPal, Aclara, and Adobe have
turned to our solutions to improve their risk relationship with their vendors. We not only provide the platform for your vendor risk manage-
ment needs, but also the support, tools, and training to make your risk efforts a success. For more information and to request a free demo,
visit www.evantix.com or call 949-614-7076.

Download a
Sample ISO 27001
Assessment and see
Evantix for Yourself

Click Here

Evantix is a third-party risk management company based in Newport Beach, CA. 7

© 2014, Evantix GRC, LLC. 20341 Birch St. Suite 220, Newport Beach, CA 92660