IVI Framework Viewer

Supplier Security Requirements

A8

Define security requirements for the procurement and supply of hardware, software, data, and cloud and other IT services to satisfy the information security strategy and objectives of the organization.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Supplier Security Requirements at each level of maturity.

2Basic
  • Practice
    Begin to define information security requirements and criteria for procurement activities, and identify and use industry standard generic templates and clauses.
    Outcome
    There is some understanding among suppliers of key security requirements.
    Metrics
    • # of security requirements and questions included in key procurement documents such as RFIs.
    • % of procurement activities for which supplier security requirements have been defined.
  • Practice
    Begin to conduct some supplier compliance audits (e.g. following an incident).
    Outcome
    Some issues of supplier non-compliance are beginning to be uncovered.
    Metrics
    • # of audits of suppliers.
    • % of suppliers complying with security requirements.
    • # of identified supplier breaches of requirements.
    • # of security incidents involving suppliers.
3Intermediate
  • Practice
    Define standard information security requirements and criteria for most procurement activities.
    Outcome
    There is an increased understanding among suppliers of the levels of security expected, which reduces the risk of security breaches.
    Metrics
    • # of security requirements and questions included in key procurement documents such as RFIs.
    • % of procurement activities for which supplier security requirements have been defined.
  • Practice
    Proactively conduct audits of supplier compliance in a structured manner.
    Outcome
    Key issues of supplier non-compliance are evident, and steps can be taken to rectify them.
    Metrics
    • # of audits of suppliers.
    • % of suppliers complying with security requirements.
    • # of identified supplier breaches of requirements.
    • # of security incidents involving suppliers.
4Advanced
  • Practice
    Define comprehensive information security requirements and criteria for all IT-related procurement activities, and include security patches and updates as part of all contracts.
    Outcomes
    • Supplier security is up-to-date and relevant to current business activities and priorities.
    • Supplier-related security breaches are rare.
    Metrics
    • # of security requirements and questions included in key procurement documents such as RFIs.
    • % of procurement activities for which supplier security requirements have been defined.
  • Practice
    Include indirect suppliers in audits of supplier compliance.
    Outcome
    There is organization-wide confidence that all suppliers (direct and indirect) are adhering to security requirements, and that any issues of non-compliance are effectively rectified.
    Metrics
    • # of audits of suppliers (including indirect suppliers).
    • % of suppliers complying with security requirements.
    • # of identified supplier breaches of requirements.
    • # of security incidents involving suppliers.
5Optimized
  • Practice
    Continually review and update information security requirements and criteria; base these on the latest insights from the security industry, vendors, and research.
    Outcomes
    • Supplier security is exemplary and informed by the latest security insights.
    • Risk of excessive security measures or that of failure due to the weakest link is minimized.
    Metric
    # of updates to security requirements and criteria per time period.
  • Practice
    Continually review and improve as appropriate the supplier compliance audit process.
    Outcome
    The supplier compliance audit process is kept effective and relevant.
    Metric
    Frequency of review cycle.