Outsourcing IT to a platform as a service (PaaS) is incredibly popular with organizations that want to focus on other essential business processes. Even software development organizations often outsource IT, and organizations responsible for the uptime of IT applications no longer own hardware and IP connections. I call what is happening to IT stapling. For example, infrastructure is outsourced with infrastructure as a code, the source code is hosted and tracked within a repository service and testing is automatically performed by a tool hosted somewhere else. On top of that, multiple applications are running that support several business processes, and the actual software applications used are coded by several suppliers. Organizations often have agreements with most of the software suppliers they work with, meaning they are convinced the suppliers have implemented appropriate controls to guarantee the organization can always work with the software. However, this means trusting not only the software supplier but the whole chain of suppliers. So, how can you do that?
Third-party management is something your organization needs to have in place regarding your suppliers and their suppliers. You may wonder why it is so important given that your risk analysis likely notes that you transferred risk to the supplier. Consider what happens when the supplier does not meet delivery expectations and disturbs business processes. The supplier may be responsible, but the disruption still effects your clients, your brand reputation and your productivity. In 2019, the main cause of business disruption was unplanned IT or telecommunications outages.
When it comes to third-party management, International Organization for Standardization (ISO) certifications or assurance reports such as SOC2 Type II reports are generally requested. However, for each and every supplier (and sub-service organizations of that supplier when significant) it should be determined what risk is related to the services that are outsourced. Is the risk related to the continuity of essential business process or is it related to confidential information? Confidentiality, integrity and availability (CIA) are the basis for this analysis. Topic areas such as laws and regulations (e.g., does the supplier process personal identifiable information [PII]?) can be included in this analysis. Every important area of your organization should be assigned a risk rating (i.e., high, moderate, low), which determines what kind of assurance documentation you need. Of course, you can demand the highest level of assurance from every supplier, but that may not be realistic. If you demand continuous monitoring and SOC2 Type II reports, your supplier costs will be immense. For low risk outsourced services, a self-assessment may be enough to cover the identified risk.
When implementing an appropriate third-party management system, it is important to be aware that some business processes rely partly on third parties and that there is risk involved with adopting them. When you are aware of the risk of third parties, you can then divide the risk into topic areas, quantify the risk and start defining the measures for managing the risk. This framework helps you make sure you can rely on your suppliers (and their suppliers).
Editor’s note: For further insights on this topic, read Jouke Albeda’s recent Journal article, “Third-Party Assurance: Why and How?,” ISACA Journal, volume 2, 2021.
Don't forget—Members can earn free CPE from ISACA Journal quizzes!