The requirement for TPRM is not just about data security; it is a regulatory mandate under EASA Part-IS. The introduction of Sofema Form IS 5C highlights that organizations must audit the "operational implementation" of controls for all outsourced activities.
Key additions from Form IS 5C include:
• Regulatory Access: Contracts must explicitly grant the Competent Authority (CA) access rights to the contractor, equivalent to the access granted to your own organization.
• Shared Risk Context: Risk management must extend beyond simple questionnaires to include the mapping of "interfaces," "data flows," and roles (producer vs. consumer).
• Resilience verification: Assessment must verify technical specifics like backup immutability and encryption, not just policy existence.
Guidance Document: Supplier Assessment & Assurance
Compliance Reference: EASA Part-IS.I.OR.235 / ISMM §8.1, §8.9 / Form IS 5C
Purpose - To establish a mechanism for assessing suppliers using Form IS 5C to ensure compliance with EASA Part-IS requirements regarding outsourced and contracted activities.
Supplier Classification (Triage) & Risk Profiling - Suppliers must be formally classified into Critical, Standard, or Low Impact categories. This classification dictates the "Annual Oversight" plan.
Assessment Criteria (Updated with IS 5C Controls) - The assessment must now confirm the following specific controls during the Mandatory Prior Assessment:
• Contractual & Regulatory Compliance
>> CA Access Rights: Does the contract ensure the Competent Authority (CA) has access rights to the contractor upon request?
>> 24-Hour Notification: Does the contract contain the explicit obligation to notify the organization of incidents within 24 hours?
>> Right to Audit: Contracts must include clauses covering security and breach notification obligations (ISMM §8.1.6.2).
Interface & Shared Risk Management
• Interface Mapping: All identified interfaces should be mapped with data flows, functions, and roles (producer/consumer) to establish the shared risk context.
• Joint RCA: The supplier must agree to cooperate on Joint Root Cause Analysis (RCA) and Corrective Actions (CAs) for risks affecting the interface.
Technical Resilience
• Immutability: Are the supplier's backups of critical systems/data enabled with immutability (cannot be altered/deleted)?
• Encryption: Are backups secured with encryption both in transit and at rest?
• Business Continuity Plan - BCP Testing: Is there evidence of Annual Restore/DRT testing?
Operational Audit: Using Form IS 5C
For high-risk suppliers, the Form IS 5C checklist should be used annually.
• Verification Method: Review specific "KPIs" (e.g., Mean Time To Recovery - MTTR) against contractual targets.
• Lesson Learned Integration: Verify that lessons learned from supplier incidents are officially used to update the organization's Risk Register (ISMM §3.10.2).
Additional Tasks for Risk Profiling (Derived from IS 5C)
To fully align with the requirements of Form IS 5C, the following specific tasks must be performed during the risk profiling phase of a supplier:
• Map Data Flow Interfaces (Producer vs. Consumer):
Task: You must explicitly identify and document the "interfaces" between your organization and the supplier. (Form IS 5C requires verifying if the "shared risk context" is established by defining who is the "producer" of data and who is the "consumer".)
• Verify Backup Immutability:
Task: During technical assessment, specifically ask for evidence that backups are "immutable" (e.g., WORM storage - Write Once Read Many) to prevent ransomware from encrypting backups. (This is a specific check item under "Ransomware Prevention" in Form IS 5C.)
• Confirm Competent Authority (CA) Access:
Task: Review the legal contract to ensure it allows you (and the authority) to audit the supplier. (Form IS 5C asks if access granted to the CA is "equivalent to that granted to the organization".)
• Establish Joint Root Cause Analysis (RCA) Protocols:
Task: Establish a "Cooperation Protocol" (ISMM §4.2.4.5) that dictates how both parties will work together to investigate a breach.
Why: Risk profiling must determine if the supplier is willing and capable of performing a "joint RCA" rather than just providing a generic incident report.
• Audit History & KPI Review:
Task: Review the supplier's historical performance on KPIs like MTTR (Mean Time To Recovery). (Risk profiling should be based on actual performance data ("Review of KPIs") as mandated by the Supplier Monitoring section of IS 5C)
Next Steps
Please note, form 5C & ISMM are available as part of the Information Security Cyber Implementation Project for details of availability please email team@sassofia.com.
