Secure supply chain management: guidelines for successful TPRM

How well do companies know their suppliers and partners? Do they have full control over their security measures? The reality is that many companies only have a fragmentary overview of their third parties - and this is precisely what cyber criminals exploit.Regulators and international standards have long recognized this problem and are calling for systematic third-party risk management (TPRM). But how can companies overcome this challenge?

In this article, we highlight the most important regulatory requirements and show how TPRM can be implemented effectively in practice - with specific recommendations from the experts at InfoGuard.

Quiz question: What is one of the common points in the new standards and legal requirements?

Is it...

• ...that evidence must be stored on a blockchain
• ...an initiative that calls for improved supplier management
• ...that the use of AI is mandatory for the evaluation of risks

The correct answer is: A push for better supplier management.

Legal requirements and standards for supplier management and supplier risk management (TPRM)

Normative requirements such as ISO/IEC 27001 and ISO/IEC ISO 27701 etc, legal requirements such as NIS (Article 2d) and DORA (Articles 28 to 44) as well as internationally recognized standards such as ISO/IEC 27002 (5.19) and PCI DSS Version 4.x (6.3.2) are increasingly integrating supplier management and supplier risk management (TPRM). NIST also provides valuable information on supplier management and risk management in SP 800-161.

The exact requirements of the standards may differ slightly in their wording, but are essentially aimed at a more comprehensive overview and monitoring of relevant or critical suppliers and service providers:

• Regular monitoring of procured services
• Regular risk assessment of the supplier
• Proof of safe operation from suppliers and sub-suppliers
• Measures in the event of a change in a supplier's risk assessment
• Consolidated reporting to the management
• Regular review of the supplier risk assessment process
• Continuous improvement process (CIP)

The 5 phases of the TPRM catalog of measures

The requirements defined in the legal regulations and standards trigger analyses and optimizations that lead to considerable additional work.

The underlying activities can be differentiated into five phases:

1. Development of a catalog of criteria
2. Expansion of the existing supplier risk assessment process
3. Updating and documenting the supplier management inventory*
4. Automation of the modified supplier risk assessment process*
5. Reporting on supplier risk management

* Phases 3 and 4 do not necessarily have to take place at separate times, but can run simultaneously and in parallel.

Navigating the challenges with the TPRM guide

The company is facing a number of challenges due to changes in supplier risk management requirements. The existing supplier inventory must be revised or probably even expanded and revised.

This means additional work for employees, which has to be dealt with during day-to-day business. In addition, although the expansion of the supplier inventory should ideally be approved by the person or persons responsible for the framework, the decision should not lie solely with this person or group of people. Coordination therefore requires dialog with other parties involved.

Completing the supplier inventory will involve key persons or their delegations from several departments, which in turn means additional organizational effort that costs time and ultimately money.

The following measures can be implemented to optimize the effort:

Classification of suppliers and service providers

An effective classification of suppliers and service providers can significantly reduce the effort involved. Suppliers should be classified according to their criticality and their influence on the business. This makes it possible to focus resources on the most important/critical suppliers.

1. Critical suppliers: These suppliers are essential to business operations. Their loss would have a significant impact on the company.
2. Important suppliers: These suppliers are important, but their failure would not have an immediate, serious impact.
3. Non-critical suppliers: These suppliers have a lesser impact on the business.

Prioritization of measures

After classification, measures should be prioritized. Critical suppliers should be assessed and monitored first. This ensures that the most important risks are addressed first.

Use of technology

The use of technology, such as AI-powered tools, can further increase the efficiency of supplier management. These tools can help identify risks, analyze data and generate reports.

Training and awareness

Training employees and raising awareness of the importance of supplier management can also reduce costs. Employees who understand the importance and requirements of supplier management can work more efficiently and make better decisions.

Get clarity on your supply chain risks. As an ISO 27001-certified service provider, our consulting team will be happy to assist you with the structured analysis and optimization of your supplier management.

Requirements for efficient TPRM

In short: centralization and automation

Centralization

Centralization means bringing together as many sources of information as possible in one central location - ideally an ERP, possibly a comprehensive wiki page that obtains or displays data from several sources, or if there is no other option - a consolidated Excel spreadsheet.

Automation

Automation replaces as many manual steps as possible with workflows and the use of templates. This is where centralization comes in handy: The larger it is across the company, the more effective it is. If the monitoring of fourth or even fifth service providers becomes mandatory in the future, the number will quickly become unmanageable.

Let's take an example: a company procures services from 15 suppliers. These 15 service providers themselves procure services from 15 service providers ("fourth service providers" from the company's perspective), which are also each served by 15 service providers ("fifth service providers").

That is a total of 3,615 service providers. Of course, not all of them need to be monitored and evaluated with the same intensity, but such a number of service providers cannot be managed manually. Workflows that use question catalog and e-mail templates as elements of automation come into play here.

Practical procedures

As all companies are different to a certain extent, it is difficult or impossible to provide specific steps for practical supplier management. We will therefore concentrate on a few basic steps.

"Money" approach

This method examines which supplier invoices are paid by the accounting department. The invoices can be used to draw conclusions about the supplier and the service purchased. This should provide information as to whether the service is relevant to IT and, if so, how critical this service is. However, if the accounting department is not already able to filter invoices by category, this process can take some time. Not least because the search should be repeated at different times to cover different payment periods.

"Service" approach

This method is a daily activity analysis in which every action is scrutinized for service relevance and criticality: "When I deploy this image, I use my laptop, the network, this software, this tenant in the cloud, etc.". All these services must be collected and grouped according to criticality. The final step is then to assign the "service to supplier". Such an analysis should be carried out by several people from different groups on different days, as not all activities that lead to critical services and suppliers are carried out on every day.

Both approaches provide lists of suppliers and services that now need to be cross-checked. The company itself must decide which suppliers are critical for the company. This is usually based on a business impact analysis (BIA), in which fictitious (or actual) incidents are used to estimate how and to what extent the company is affected by an incident. If the loss of a service or supplier jeopardizes the survival of the company after one day, after three days or after one week, then this service or supplier can be marked as critical with a clear conscience.

Supplier risk assessment in TPRM

Information procurement

In order to carry out the supplier risk assessment, we need information about the supplier or their service. The source of information must be critically scrutinized with regard to reliability and the truthfulness of the information. We can do this:

• Collect publicly available information.
• Inform ourselves on the supplier's website.
• Ask the supplier to complete a questionnaire.
• Rely on information from third parties.

Evaluation of the information

ISO 27001 certification of a supplier is an advantage and can save us a lot of work if the service used is within the scope of the certified ISMS, which needs to be checked carefully.

"Questionnaire" procedure

The "questionnaire" procedure is frequently used, the level of detail of which increases in line with the criticality of the supplier or service. The more important the service is for us, the more precisely we want to know about things such as patching, change management, configuration management, secure software development life cycle, supplier management, etc.

Existing suppliers

Existing suppliers should already have information on the above points from previous surveys. It "only" needs a delta of information for completion.

New suppliers

In the case of new suppliers, we have no choice but to collect all the necessary information.

Contract adjustments

If an initial review of existing suppliers shows that there are gaps in the increased supplier risk management requirements that need to be covered contractually, the templates for supplier contracts should be updated as soon as possible in order to bring future suppliers up to the higher level. Existing suppliers may not be prepared to accept changes to the contract during the current contract period that mean more work for the supplier. For this reason, the new contract template must be included with such suppliers at the time of contract renewal.

Automation of the evaluation

Obtaining an ISO 27001 certificate and carefully checking the scope identified therein are generally beyond the scope of a workflow tool (and the evaluation of such an analysis should not be carried out by an AI tool without being checked). A standardized questionnaire, on the other hand, can be implemented relatively easily in Microsoft Forms, for example. In combination with Outlook/Exchange, supplier questionnaires or the links created can then be sent regularly to active suppliers in the supplier directory. Either automatically by date or alternatively to an exported list of active suppliers. The better integrated the data source and the workflow tool are, the less of a hurdle automation can be designed, which ultimately reduces the workload for everyone involved.

Whatever the format of the questionnaire, the effort involved in evaluating the responses should not be underestimated. For this reason, free-format text fields should be avoided as far as possible and radio buttons or drop-down fields should be used instead wherever possible - this makes it much easier to evaluate the responses. Ultimately, the aim is not to collect questionnaires, but to evaluate them in order to assess the risk situation in the supplier area.

How TPRM succeeds with minimal effort

Anyone who has not yet been assessed as a supplier or has not yet inventoried and assessed suppliers will have to do so in the near future. We are happy to support you in the process and the assessment to relieve the organization. Future-proof your supplier management and stay one step ahead of the regulatory requirements. As an ISO 27001-certified service provider, our consulting team will support you in the process and assessment to reduce the burden on your organization. Secure a personal consultation now.

Caption: Image generated with AI