As part of any Third-Party Risk Management lifecycle, due diligence of the supply chain needs to be implemented either when a potential new supplier is required or as part of the regular assessment of the supply chain.
Conducting due diligence on your suppliers is the investigative process by which a third-party information security risk is reviewed to determine if it’s suitable for a given task. Due diligence is an ongoing process including review, monitoring and management communication over the entire vendor lifecycle.
Due diligence assessments need to take place to have an understanding of the risks suppliers can introduce to a company, supplemented with continuous monitoring .
Our information security consultants help you easily and cost-effectively define the real risks using a streamlined and realistic approach, ensuring that the right resources are directed in the right place. This gives you real peace of mind about all the third parties you work with and actively establishes relationships with them in the production processes.
Initial Supplier Profiling
When engaging with a supplier for the first time, a company needs to ensure their information security, privacy and compliance standards will not be put at risk by the introduction of the supplier into the chain, therefore initial profiling of the supplier needs to take place.
The consequence of accepting a supplier that does not meet your security and privacy standards could include:
- falling out of compliance with regulations such as GDPR
- put at risk certifications such as ISO 27001
- impairing your chances of securing clean audit reports, such as ISO 27001, SOC 2 Type 2 reports
- weakening your company’s ability to respond successfully to future customer’s inquiries about your security and privacy practices
- breaching contractual agreements with existing customers.
What is the impact on us if they have a data breach? The result will provide a guide as to how in-depth the assessment of the supplier is.
Our supply chain information security consultants work with customers to understand their exposure to new suppliers by assessing the:-
- Operational Risk
- Information Risk
- Service Delivery Risk
- Nth Supplier Risk, the supplier outsourcing to other suppliers
- Legislation and Regulation Compliance Risk.
Point-in-Time Assessment
- Information and Cyber Security related certifications/audits
- Supplier Self Assessment
- On-site Assessments/Audits
There are a number of ways to assess the levels of information security, privacy and compliance standards a supplier has in place. Reliance on a contract is naïve. Point-in-time assessments give assurance to the level of compliance against our customers’ standards and to complete the lifecycle of supplier information security management, on-going monitoring of suppliers is required. These can be in the format on regular assessments/questionnaires, as detailed below, or utilizing continuous cyber security rating monitoring.
Option 1 – Information and Cyber Security related certifications/audits
Has the supplier got ISO 27001 and/or Cyber Essentials certificates? Are the certificates from a recognised body and does the scope cover the services that are being delivered to you?
Ask for the ISO 27001 or SOC2 Type II audit report.
We have developed a free tool to monitor various certifications, contact us to find out more.
Option 2 – Supplier Self-Assessment
Our infosec consultants work with our customers to review the supplier’s security posture against a wide range of security domains in order to assess compliance with our customers’ minimum security requirements. Assurance is gained by reviewing the responses from the supplier.
This review only focuses on the services that are provided to our company as stated in the contract
At a minimum, you will want to make sure your vendors implement the following safeguards:
- the vendor mitigates and contains data security risks through proper separation of duties, role-based access, and least privilege access for all personnel within their supply chain.
- the vendor integrates information security controls in its support processes applicable to its contractual relationship with your organisation.
- the vendor inspects, accounts for, and corrects data-quality errors and associated risks.
- the vendor makes security incident information available to your organisation.
- the vendor ensures that its workforce members who will support your organisation—or have access to your data or information systems—have the required skills to perform their assigned responsibilities
- the vendor complies with all service-level agreements (SLAs).
The results can be presented either based on the level of compliance or the level of Capability Maturity Model Integration (CMMI) against our customer’s information security standards for their suppliers.
Option 3 – On-site Assessments/Audits
By far the most thorough, but also the most expensive, is the on-site information security. This should be reserved for the suppliers that could cause the highest impact to our customers and a high-level of information assurance is required.
We follow the same initial Supplier Self-Assessment process and reinforce the supplier declarations with an on-site audit visit to gain additional information security, privacy and compliance assurance.
If you have an information security question or would like to hear from one of our consultants, please call us now