G 0.11 — Failure or Disruption of Service Providers

The cloud provider that runs a company’s complete bookkeeping files for insolvency. The platform is from now on only partially available. A data export is theoretically possible, but the export function does not work reliably. The company has neither a local backup of the accounting data nor an exit strategy. The switch to a new solution takes three months — three months with restricted financial bookkeeping.

Hardly any organisation today operates without external service providers. Cloud providers, IT service providers, payroll providers, hosting providers, software developers — dependence on third parties grows steadily. The BSI lists the failure or disruption of service providers as elementary threat G 0.11, and with 21 mapped ISO controls it is the most broadly addressed threat in this group.

What’s behind it?

When parts of your own service delivery depend on external providers, their availability becomes your own business risk. The organisation gives up part of the control — but retains full responsibility for the outcome.

Causes of failure

• Insolvency — The provider ceases operations. Especially critical for cloud services and SaaS platforms where your own data resides on the provider’s infrastructure.
• Unilateral contract termination — The provider terminates the contract with notice or demands conditions that are economically untenable. Switching to an alternative provider takes time.
• Operational problems — Personnel absence, technical disruptions, cyber attacks or natural events at the provider impair its performance capability.
• Quality deficiencies — Services delivered no longer meet the requirements. Gradual quality decline is often noticed only when a concrete incident occurs.
• Subcontractor problems — Many providers rely on subcontractors. Their disruptions or failures cascade to the client indirectly — often without transparency about the subcontractor chain.

Bringing outsourced processes back in-house can be extremely laborious. Missing documentation, proprietary data formats, lack of cooperation from the outgoing provider and insufficient internal know-how hamper the transition. In the worst case, outsourced processes are effectively non-retrievable because internal knowledge has been lost over the years.

Impact

The failure of a service provider threatens all three protection goals simultaneously. Availability suffers through service loss. Confidentiality is at risk when an insolvent provider loses control over customer data or data reaches third parties. Integrity can be affected when quality deficiencies lead to faulty data processing.

Practical examples

Cloud provider with data loss. A company uses a cloud storage service for project management. The provider suffers a severe hardware failure and loses part of the stored data. Recovery takes weeks, and some data is permanently lost. The company had relied on the provider’s backup promises and had not created its own backup.

Outsourcing provider terminates the contract. An IT outsourcing provider terminates the contract with six months’ notice because the business is no longer economical for it. The outsourced systems have grown over years and are poorly documented. Bringing them back in-house requires know-how that is no longer available internally. The search for a successor provider and the transition take much longer than six months.

Quality deficiencies at the data-centre operator. A company houses its servers in an external data centre. The operator cuts back on air-conditioning maintenance. During a summer heat record, the undersized cooling fails. The company’s servers overheat and go down. The operator had no SLA commitment for air conditioning, and the company had never checked the data centre’s infrastructure since commissioning.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 21 mapped controls below in the section ‘ISO 27001 Controls Covering This Threat’.)

Prevention:

• A.5.19 — Information security in supplier relationships: Contractually agree security requirements with providers.
• A.5.21 — Managing information security in the ICT supply chain: Transparency about subcontractors and their security level.
• A.5.22 — Monitoring, review and change management of supplier services: Regular review of service quality and security.
• A.5.20 — Addressing information security within supplier agreements: Security clauses, SLAs and exit strategies in contracts.

Detection:

• A.5.23 — Information security for use of cloud services: Specific requirements and monitoring for cloud providers.
• A.8.21 — Security of network services: Monitoring of externally delivered network and communication services.

Response:

• A.5.24 — Information security incident management planning and preparation: Incident response plans that include provider failures.
• A.5.29 — Information security during disruption: Business-continuity measures for the case of a provider failure.
• A.8.14 — Redundancy of information processing facilities: Fallback capacity and alternative providers.

BSI IT-Grundschutz

G 0.11 is linked in the BSI IT-Grundschutz catalogue to the following modules:

• OPS.2.3 (Use of outsourcing) — Requirements for managing outsourced IT services.
• OPS.3.2 (Offering outsourcing) — Requirements for providers delivering outsourcing services.
• OPS.2.2 (Cloud usage) — Specific requirements for the use of cloud services.
• DER.4 (Emergency management) — Business-continuity planning that includes critical providers.

Sources

• BSI: The State of IT Security in Germany — Annual report with current threat statistics
• BSI IT-Grundschutz: Elementary Threats, G 0.11 — Original description of the elementary threat
• ISO/IEC 27002:2022 Sections 5.19–5.22 — Implementation guidance on information security in supplier relationships