Top of Page

April Insights

How to Build an Assessment Framework for IT Suppliers

By Rabei Hassan

Almost every business relies on suppliers to provide or manage an IT service, including storage and business data processing. It is crucial to those businesses that confidentiality, availability and integrity are maintained for all services and data managed by a vendor. 

In some cases, businesses could be legally obligated to ensure that stored or processed data by a supplier is secure. Furthermore, ISO 27001 mandates protection of an organization’s assets accessible by suppliers. Therefore, it is so important to have a third-party assessment framework to help your organization identify, assess and manage information security risks relevant to vendors and suppliers.

To build an assessment framework, follow these steps:

Step 1: Define Criticality and Sensitivity Levels and Criteria
Start by establishing criteria to determine the level of sensitivity for data processed or stored by a supplier and the level of criticality for third-party managed services. Identify all handled data and determine classification levels based on needed protections for each kind of data. Take an organization that handles the following data: news information; contracts and agreements; policies and procedures; customer personally identifiable information; employee personal and financial information; and company strategic plans. After discussing the needed protections for this data, it might create three classification levels as demonstrated in this table:

Each organization must decide how many levels of sensitivity it needs and the criteria for each level based on the company’s own legal and financial implications and the required protection for each level.1

For service criticality levels and criteria, first identify the services currently or expected to be managed or provided by suppliers. Then, based on business and security needs, determine classification levels. For example, if an organization is using a group of suppliers to provide e-commerce, payroll, email and conference call services, you may create the following:

Decide how many levels of service criticality are needed and the criteria for each level based on the criticality of the service to the business.2 

Step 2: Build an Information Security Controls Library
Information security controls should be a combination of technical, physical and administrative controls. Physical controls could be an access card and CCTV. Administrative controls could be a risk management framework, policies and procedures. Organizations can refer to ISO 27002, Cobit 5, NIST Cybersecurity Framework and other well-known security frameworks or standards to build a comprehensive list of information security controls.

This step is not only about building the list of controls, but also linking them back to the criticality and sensitivity levels established in the previous step. For example, say you defined three levels of data sensitivity (public, private and confidential). You must decide which controls to apply for any supplier that manages each type of information. For public information, backup could be the only control you need. For highly confidential information, you need the supplier to have access control management, encryption and logging. The same link to appropriate controls must be applied for service criticality levels.

Each organization decides the applicable controls the vendor must have to ensure that confidentiality, availability and integrity are maintained by these service providers.3 

Step 3: Determine Control Maturity Levels and Criteria

Next, define criteria for assessing the effectiveness of the security controls. For instance, do suppliers that require an encryption policy have measurement and monitoring capabilities to ensure that encryption is working as expected? This kind of assessment evaluates the maturity level of the security control. Again, refer to Cobit 5, the NIST Cybersecurity Framework or other established standards for guidance.

Each organization should decide the levels needed to assess a control for relevancy and maturity. In some companies, generic criteria will work for all controls; for others, specific criteria is required for each control or for a group of controls.3

Step 4: Putting It All Together – Supplier Registry
This final step may be the most important because it includes all previous information. The register will contain basic supplier information as well as information about the controls and the person responsible for initiating the assessment as scheduled – and for making sure the outcome is duly documented. This registry could be a simple spreadsheet, or a customized application. Generally, the register needs to include at least the following information:

  • Field 1 - Supplier Name
  • Field 2 - Supplier Location: Especially include this information if your country has legal concerns about storing or exporting information overseas. 
  • Field 3 - Service or Data Description: A brief description of the data or the service that will be hosted, accessed or managed by the supplier.
  • Field 4 - Service Criticality or Data Sensitivity Level: Classify the data or the service based on the brief description in the previous field, using the criteria defined in Step 1.
  • Field 5 - Security Controls: Based on the criticality or the sensitivity level defined in Field 4, list all the applicable controls using the library you built in Step 2.
  • Field 6 - Expected Control Maturity Level: Based on the description in Field 3. This could be decided by the service or data owner, or through an organization-wide information security committee.
  • Field 7 - Current Control Maturity Level: The outcome of the last assessment.
  • Field 8 - Last Assessment Date
  • Field 9 - Next Assessment Date
  • Field 10 - Contract Manager: The person responsible for initiating the assessment and making sure it happens as scheduled, even though executing the entire assessment could fall to someone else. This person also is responsible for making sure assessment findings are captured in the registry. 

There are numerous ways to create a framework for evaluating the security posture of third-party vendors. The steps outlined here will go a long way in helping your organization reduce risks when IT services and data management are outsourced. It will take time to conduct assessments and then establish a registry, but it will be time well spent if it prevents attacks using an insecure supplier.


Rabei Hassan, CCSP, CISSP-ISSAP, is a senior information security specialist in Sydney, Australia.

1 For simplicity, we addressed only the confidentiality part in this article and in this example. It is recommended to also consider other security factors such as integrity and availability.

2 For simplicity, we addressed only the availability part in this article and in this example. It is recommended to also consider other security factors such as authenticity (making sure the service is provided from the authorized legitimate service provider). 

It is advisable that control selection not only be based on the sensitivity of the data or the criticality of the service but linked to the risks as well. For simplicity reasons, we didn’t discuss risks, risk rating and risk management activities in this article, but organizations should consider integrating supplier assessment framework with their risk management framework.

5 Minutes with Fatma Ahmad Bazargan

An excerpt of this Q&A appears in the March/April issue of Infosecurity Professional magazine.

Fatma Ahmad Bazargan was the first woman to earn a CISSP in the United Arab Emirates. She is the head of information security at Injazat Data Systems and has been an (ISC)2 member for 11 years.

I understand you are the first woman to receive a CISSP in the United Arab Emirates. 
Yes, I’m the first Emirati woman to receive a CISSP, which I earned in 2006 and, to this day, that is the first comment I get when I meet other security professionals. 

What made you pursue the CISSP certification?
CISSP, back then and today, is always seen as a renowned certification when it comes to information security and, because of that reason, I was keen to put in the effort to study and sit for the exam. Since then, I have maintained a good standing. 

How difficult was it to study for the exam?
I attended the CISSP course here in UAE and then joined a two-day CISSP boot camp that was held in Las Vegas at the Interop conference in 2006. Once I returned home, I sat for the exam; being well prepared made it easier to pass. 

What first led you to pursue information security as a career?
In 2002, I was a new graduate with a Bachelor of Science degree in computer engineering from the American University of Sharjah. I was offered, as an entry-level job, a position as a network administrator at Thuraya Satellite Company. While working there on various network components, I became fascinated with how firewalls and intrusion detection systems work. That was my turning point from IT to information security. 

What did you learn from your very first job that helps you with your current one today?
My first job was the best starting point for me as it showed me how crucial information security is in safeguarding what is important to the organization and its “crown jewels.” Ever since 2002, I have watched the IT world grow and have learned much about its inner workings and about IT security operations and how it revolves around governance, risk, compliance and audits. It has been a great journey so far and I wouldn’t want to change a bit of it. 

What keeps you up at night as a CISO?
I would say everything. As a chief information security officer we are focused every day on ensuring that the organization is safeguarded and secure, inside out. But the worry of the zero-day attack, the security of the contractors, the employees’ actions, the client’s network among the rest does occupy my mind constantly. After all, the irony is there is no 100 percent security and the attacker just needs one zero-day, or a single unpatched system, to get a foothold in your network. 

You were pursuing a Ph.D. – what was your thesis focused on?
My Ph.D. thesis was focused around how to come up with an efficient and effective security monitoring solution in a cloud environment for mechanisms of early detection of cybersecurity incidents. 

What made you stop your thesis work?

I felt that in order to better complete my thesis, it would be worthwhile to work for a cloud service provider that has that kind of environment, and learn the real-world challenges to better equip my thesis paper with real-world case study — a real-world pain point to solve. 

What was it like to receive a MESA award in 2016?

A privilege indeed. I have placed it on a shelf in my office and whenever my eyes fall on it I remember this entire career journey of what I have been through so far and I look forward to how it will continue to be more challenging, yet fun! 

If a member was to visit your country, what is one attraction or place they should be sure to visit, and why?
Naming just one attraction is tough when it comes to visiting the United Arab Emirates. We have several that can make lasting memories but I can name two for sure. One is the Burj Khalifa in Dubai, the tallest skyscraper in the world. The feeling one gets standing on top of that skyscraper and having a look at the city is incredible. The second one is the Emirates Palace Hotel in Abu Dhabi, with its mind-blowing architecture and design. It’s a beautiful place to stay for a night or two.