Objectives of the Supplier Security Assurance Plan (SSA)
The Supplier Security Assurance plan (SSA) specifies how providers comply with the cybersecurity requirements defined by the client for their organisation and their information system (IS). Every co-contractor or subcontractor involved in cybersecurity must produce an SSA.
This process must be initiated upstream of the outsourcing — before the procurement process, as early as the RFP. The SSA lets the client ask its suppliers for the IT security rules it mandates, and therefore the guarantees it wants. With cloud services becoming dominant, this type of document is becoming standard, in line with the Information System Security Policy (ISSP), especially its supplier component.
Example table of contents for an SSA
- Document introduction — purpose, glossary and definitions, reference and related documents
- Description of the service
- Security requirements
- Human-resources security
- Recruitment
- Arrivals and departures
- ISS awareness and training
- Asset management
- Asset mapping
- Asset classification
- Information protection
- Logical access management
- Access rights to resources
- Logical IS access control
- Permission management
- Inactive session management
- Access traceability
- Identifier / authenticator management
- Password management
- Electronic certificate management
- Physical security
- Physical access control to premises
- Physical access traceability
- Protection of physical security zones
- IS operation security
- Hardening of IT resources
- Backup and recovery
- IT resource documentation
- Security-patch management
- Anti-malware controls
- IS administration
- Communications security
- Communications security policy
- Securing data transmission
- Remote IS access
- Internal network access from unmanaged equipment
- Development security
- Development rules
- Environment segregation
- Test data
- Change management
- IS maintenance
- Maintaining IS security level
- Maintenance security
- End-of-life disposal
- Third-party relationships
- Incident and alert management
- Technical vulnerability watch and management
- Incident detection and management system
- Incident and alert logging
- Crisis management
- Business continuity management
- Definition, implementation and maintenance of the business continuity plan
- Backup-data protection
- Systems and software updates
- Workstation security
- Use of personal devices
- User privileges on workstations
- Information storage
- Critical-data protection
- Internet browser configuration
- Documentation management
- Document repository
- Documentation management
- Control and evaluation
- Recurring ISSP-compliance controls
- One-off ISSP-compliance audits
- ISS reporting
- Human-resources security
- Security organisation
- SSA-related responsibilities
- SSA update procedures
- Security measures
- Coverage of security requirements
- Follow-up documentation
Implementing an SSA
On the client side, you successively request a Supplier Security Assurance plan (SSA) and then define a questionnaire for declarative control. You then build a gap-analysis methodology between the SSA and actual practice, taking into account internal and external constraints (contracts, good practices). The SSA is both a legal and technical document. It has become necessary for every IT service provider that wants to reassure its clients — notably processors under the GDPR, to whom personal data is transferred.
Our certified partners help companies build their SSA and, more broadly, a security framework. They guide clients to define their requirements, obtain guarantees from ecosystem players and then evaluate the gap between declarative statements and reality.
➡️ Digitalising SSAs with the Make IT Safe platform.
