What and why is supplier management important for ISO 27001?

The ISO 27001 standard expects companies to carry out a variety of activities to ensure information security. Supplier management requires organizations to carefully select their suppliers and continually monitor their reliability. Therefore, in our ISMS, our supplier management must provide evidence of the following activities:

  • Qualify suppliers
  • Analyze risks associated with suppliers
  • Check suppliers regularly

What is meant by supplier management?

When a company systematically controls relationships with suppliers, this is called supplier management. Companies are shifting parts of the value chain to suppliers. The risk of the supply chain being susceptible to disruption arises if a supplier has problems with quality (e.g. defective parts deliveries) or general ability to deliver (e.g. fire leads to a standstill in production). In the purchasing area, there are often departments for procurement marketing and purchasing cooperation. These departments find new suppliers so that their own company does not become dangerously dependent on one supplier.

Supplier management essentially includes the following areas:

  • the evaluation and selection of suppliers (supplier evaluation)
  • the development of the performance level of suppliers
  • the decision at which level the supplier should be included in the value chain.
Supplier audits are important for ISO 9001 and ISO 27001 documentation

When do we have to carry out a supplier audit?

A supplier audit is used to select and assess new or existing suppliers. The supplier’s current performance is compared with the contractually agreed target situation. By taking a detailed look at your supplier’s value creation processes, gaps and potential for improvement are often identified.

Such supplier audits should be carried out if necessary for the following reasons:

  • Supplier evaluation
  • Supplier selection
  • Optimization and compliance with standards

If you outsource parts of your value chain, the performance of your suppliers must also be ensured. Systematic supplier evaluation is the optimal approach. Companies with an ISO 9001 certificate must regularly carry out supplier assessments. The extent to which an assessment can be carried out using internal information (statistics on delivery defects) depends on the risk of the supplier relationship. Automobile manufacturers will usually always carry out a supplier audit of sub-suppliers. This involves looking at the QM documents and the operational quality management processes. In some cases, these audits will also extend to the supplier’s IT infrastructure and ISMS. Large customers increasingly expect ISO 27001 certification from suppliers and service providers (e.g. internet agencies, design studios).