Third-party risks are often greater than internal risks in many SMEs. When you use cloud services, outsourced IT support, accounting firms, software partners, or subcontractors, some of your data, systems, and processes are essentially managed by others. If a supplier’s access rights remain active for too long, backups fail, or security requirements are missing from contracts, the consequences eventually affect your business.
This article explains how to manage third-party risks effectively using the ISO 27001 framework. You’ll get a clear step-by-step model, examples of evaluation criteria, suitable metrics, and concrete actions that let you build supplier management without heavy bureaucracy.
What do third-party risks mean in practice?
A third party is any external entity that impacts your data, systems, or service continuity. This could be a cloud service provider, IT partner, software vendor, consultant, logistics partner, or staffing agency.
Risks don’t just come from supplier errors. They often arise because the company itself doesn’t know what the supplier handles, under which conditions, and at what level of protection. Ask yourself: do you currently know for certain who processes customer data, where it’s stored, and who removes access when collaboration ends?
Common third-party risks include:
- Supplier access to confidential data without clear necessity
- Missing security and continuity requirements in contracts
- Subcontractor chains completely out of sight
- Supplier service outage interrupting your own business
- Supplier staff access not removed within 24 hours after collaboration ends
- Delayed breach notifications beyond agreed timeframe, e.g., over 12–24 hours
ISO 27001 helps because it brings structure to supplier management. Instead of assessing suppliers based on gut feeling, you build a management system where risks are identified, requirements defined, responsibilities assigned, and monitoring happens regularly.
Note
ISO 27001 doesn’t mean every supplier must undergo heavy audits. The idea is to align requirements with risk: a critical cloud service is assessed more thoroughly than an office supplies vendor.
Why does ISO 27001 work for managing supplier risks?
ISO 27001 is a standard for information security management systems. In practice, it helps you build a repeatable model for how information security is managed, measured, and improved. From the third-party perspective, the biggest benefit is that supplier management isn’t left to individual contracts or someone's memory.
Linking supplier risks into the management system gives you at least three benefits:
- Faster decision-making since evaluation criteria are ready
- Risks are visible to management just like other business risks
- In audits and client queries, you can demonstrate how suppliers are managed in practice
Many SMEs realize that the same supplier is involved in several critical processes. For example, a single SaaS service may contain customer data, user management, and reporting. If the service is down for 4 hours, the impact is not only technical but commercial as well.
Below is a simple way to classify suppliers by risk level.
| Risk Level | Example Supplier | Data Handled | Required Evaluation | Review Frequency |
|---|---|---|---|---|
| Low | Office supplies vendor | No confidential data | Basic info and contract review | 24 months |
| Medium | Accounting or HR partner | Personal data, financials | Survey, contract requirements, responsible | 12 months |
| High | Cloud service, IT outsourcing, data center | Customer data, access rights, production systems | Risk analysis, security documents, continuity requirements | 6–12 months |
| Critical | Core system supplier | Business-critical and confidential data | Extensive assessment, management approval, deviation monitoring | 3–6 months |
What should you require from suppliers?
A common mistake is trusting that a well-known supplier is automatically secure. A well-known brand does not replace your own evaluation. You need to define what minimum requirements the supplier must meet before and during collaboration.
A good starting point is to build supplier requirements into four categories:
- Security: access rights, logging, encryption, vulnerability management
- Continuity: backups, recovery times, incident communication, service levels
- Contracts: data processing terms, responsibilities, audit rights, subcontractors
- Monitoring: reviews, deviation reporting, metrics, corrective actions
Practically, you can request from the supplier:
- Description of where data is located
- Information about any subcontractors
- Process for breach notifications, e.g., notification within 12 hours of detection
- Description of access removal process, e.g., within 24 hours after employment or contract ends
- Backup and restore testing information, e.g., tested at least annually
- Possible certifications like ISO 27001, or other evidence of security management
Warning
A common mistake is copying the same requirement list for every supplier. This leads to wasted effort and critical suppliers not standing out. A risk-based model works better.
How to assign responsibilities within the organization?
Supplier risk management often fails because everyone assumes someone else is handling it. Procurement focuses on price, IT on technology, business on usability, and management assumes it's all under control. ISO 27001 requires responsibilities to be clearly assigned.
Even a small organization can use a lightweight model as long as every supplier has an owner. The owner doesn’t do everything but ensures evaluation, approval, and monitoring happen.
| Task | Responsible Party | Practical Task | Target Timeframe |
|---|---|---|---|
| Supplier classification | Service owner | Determine risk level and criticality | 2 business days after request |
| Security evaluation | IT / security manager | Verify controls and documentation | 5 business days |
| Contract terms review | Management / procurement / legal partner | Confirm security & continuity clauses | Before signing |
| Approval | Designated decision-maker | Approve high-risk suppliers | Before deployment |
| Monitoring | Supplier owner | Review deviations and changes | Every 6–12 months |
If you use Tietoturvapankki, responsibilities and reviews are easier to keep visible in one place. This is especially useful when the same supplier involves both technical and contractual requirements.
Practical step-by-step model with ISO 27001
Theory alone isn’t enough, so here’s a concrete model. If you start now, a first working version can typically be built in 2–6 weeks depending on the number of suppliers and the current situation.
List all suppliers impacting data or services
Gather at least 10–20 key suppliers or all suppliers with access to data, systems, or business-critical processes. Add service name, owner, data handled, potential production environment access, and contract validity.
Classify suppliers by risk level
Evaluate each supplier using at least four criteria: data confidentiality, service criticality, amount of personal data, and subcontractor dependence. Use a simple scale 1–3 per criterion and select suppliers scoring e.g., 8–12 for closer review.
Define minimum requirements and check contracts
Create a risk-based requirement list. For high-risk suppliers, require breach notification within 12–24 hours, access removal in 24 hours, annual restore testing, and visibility of subcontractors before contract approval.
Implement approval process before commissioning
Don’t deploy a new supplier before risk classification, security evaluation, and contract terms are approved. Practically, this can be a single approval form signed off by service owner, IT, and decision-maker before production use.
Regularly monitor suppliers and react to changes
Agree on review frequency based on risk level and monitor at least deviations, significant changes, audit findings, and contract expirations. For critical suppliers, hold reviews every 3–6 months and for others at least every 12 months.
Tip
If you have many suppliers, start with 3–5 suppliers whose failure would stop sales, customer service, or production. This way, you quickly gain visible improvement without the project becoming too large.
Example of a simple scoring model
A lightweight scoring model is often sufficient for SMEs as long as it’s used consistently. The goal isn’t a perfect mathematical model but to separate truly critical suppliers from others.
| Criterion | 1 point | 2 points | 3 points |
|---|---|---|---|
| Data confidentiality | Public or minimal | Internal | Confidential / personal data |
| Service criticality | Easily replaceable | Affects work | Interrupts business |
| Access rights | No system access | Limited access | Admin or maintenance access |
| Subcontractor chain | No subcontractors | Limited use | Multiple subcontractors |
Interpretation might be:
- 4–5 points: light evaluation
- 6–8 points: normal evaluation and contract check
- 9–12 points: extensive evaluation, management approval, and frequent monitoring
The most important thing is that scoring leads to action. If a high-risk supplier scores high but no additional requirements are set, the evaluation remains a paper exercise.
Common mistakes to avoid
Many organizations already do supplier management but in a fragmented way. The problem is rarely a total lack but rather the absence of unified management.
Avoid these mistakes:
- Supplier list not updated, so some critical partners are missing
- Evaluation done only at procurement start, not during contract
- Security requirements missing from contracts or service descriptions
- No owner assigned for high-risk suppliers
- Deviations not monitored or corrective actions without deadlines, e.g., 30 days
A practical checklist for monthly monitoring is short:
- New suppliers onboarded without evaluation?
- Contracts expiring in the next 90 days?
- Deviations or incidents reported by suppliers?
- Access rights removed on time?
- Agreed reviews conducted for critical suppliers?
How does this relate to a broader management system?
Managing third-party risks is not an isolated process. It ties directly to risk management, access control, continuity planning, incident handling, and management reviews. That’s why ISO 27001 works well: it integrates these into one manageable whole.
If your organization already has experience with a system like ISO 9001, the mindset is familiar. Define processes, responsibilities, metrics, and improvement cycles. The same logic applies to information security. Softapankki Oy and QMClouds Oy have developed solutions to support management systems, where Laatupankki — the Group’s quality management brand — brings a familiar structure for management system development.
Tietoturvapankki especially helps ensure that supplier management documents, risks, responsibilities, and reviews don’t remain in separate Excel files. When everything is in one place, audit preparation is easier and daily work stays lighter.
Summary
- Manage third-party risks based on risk level, not the same way for all suppliers.
- Start by listing suppliers and classifying them on a scale of 1–3 with four key criteria.
- Set clear requirements for high-risk suppliers, such as breach notifications within 12–24 hours and access removal within 24 hours.
- Assign an owner for every critical supplier and monitor regularly, e.g., every 3–12 months based on risk.
- ISO 27001 brings structure to supplier management, keeping risks, contracts, responsibilities, and monitoring under control.
Need help with information security management?
Our experts are here to assist you.