Frequently asked questions

The Risk Ledger assessment gives your clients assurance that your organisation maintains an appropriate level of risk controls in order to protect both yourself, and them, from cyber incidents.

You have been asked to complete an assessment by your client because third-party risk management is:

• the best way to maintain a resilient supply chain;
• a requirement of regulations in your client's industry;
• a requirement of a security or business resilience certification your client holds;
• a policy mandated internally by your client as a condition of doing business with a third party; or
• a combination of the above.

You can read more about the importance of managing supply chain security risks in this article from the National Cyber Security Centre (NCSC).

No, Risk Ledger is free and always will be free for suppliers to join and use the platform to showcase their security regime to clients.

Ensuring the security of our platform and its users is central to what we do at Risk Ledger. We maintain strict security and confidentiality controls to ensure that your information remains secure. You can review Risk Ledger's security assessment yourself using the platform! Just request access by emailing support@riskledger.com.

Privacy:

The only data visible to organisations you are not connected with is your company’s name and the country it is registered in to allow connection requests to be sent and accepted.

Security:

• Encryption - All data sent to and from Risk Ledger is encrypted in transit. Our website, application and API are served over TLS/SSL, achieving A+ on Qualys SSL labs. We also encrypt all data at rest with the industry-standard AES-256.
• Cloud Infrastructure - Risk Ledger services and data are hosted within hardened cloud infrastructure, managed using Infrastructure-as-Code processes. We operate over two availability zones, with robust monitoring in place. Amazon Web Services (AWS) is our primary cloud provider.
• Authentication - Risk Ledger enforces strong authentication for both our users and employees, to protect our customers and their data. Multi-Factor Authentication (MFA) is mandatory to access the product and all our internal systems.
• Independent Security Testing - Risk Ledger undergoes regular vulnerability scanning and penetration tests by independent third-parties, testing our security controls against industry standards. In addition, all our employees complete regular information security training.

For further information on our security and privacy policy please visit the below pages:

Privacy Policy

Terms of Service

Security Profile

Your Risk Ledger assessment is only visible to the organisations you chose to share it with - nobody else. You are in complete control of your profile and data on Risk Ledger.

Organisations on Risk Ledger can request access to your assessment by sending you a connection request on the platform. They will only gain visibility of your assessment if and when an authorised user on your account has accepted the request.

The only data visible to other organisations you are not connected with is your company’s name and the country it is registered in to allow connection requests to be sent and accepted.

We have very strict confidentiality and data protection in place at Risk Ledger. Visit the links below for more information on this:

Privacy Policy

Terms of Service

Yes, once you have completed your supplier assessment, you can take advantage of the free tools we have designed to ensure your Risk Ledger assessment is the last one you ever have to complete.

You can share access to your Risk Ledger assessment at the click of a button with any other client who requires you to complete a security risk assessment so you can avoid manual spreadsheets and long email conversations about the assessment.

There are two ways in which you can share your Risk Ledger assessment, even if your client isn't a Risk Ledger user themselves:

• Connection Request - You can send and receive connection requests through the platform. Simply accept connection requests from your clients to grant them access to your assessment.
  ‍

• Share assessment outside Risk Ledger - You can share your assessment with other organisations outside of Risk Ledger who may ask you to complete a supplier assessment by navigating to the "Share" button at the top of your Assessment page when you are logged in to Risk Ledger. The button will generate a new link to your assessment.
  

You can also provide a client contact's email address and the platform will send them the new link directly. Only your assessment answers and notes are shared with the link, but not any evidence.

To access your evidence, the client can sign up to Risk Ledger for free and connect with you through the platform.

A link expires in 1 month, but can be invalidated earlier if needed by clicking the bin icon.

If your client stops using Risk Ledger or they delete the connection between your organisation and their organisation on the platform, you will no longer have an active connection with them on Risk Ledger. You can see and manage client connections while signed in to your Risk Ledger account in the "Clients" list.

Once a connection is no longer active, we keep an audit log for your client of your Risk Ledger assessment as it was at the point of deletion. This is to allow an audit trail of your client's third-party risk management activities to be maintained.

Only authorised users in your organisation manage your Risk Ledger account and data so your profile on the platform will exist unless you delete your account. As long as your organisation has an account, you can share access to your Risk Ledger assessment for the clients you choose - nobody else.

If a supplier deletes their account, all personal data is removed from Risk Ledger, and clients who were connected with that supplier have visibility of their supplier assessment as it was at the point of deletion for the purpose of an audit trail.

When you are no longer a supplier to a client you or your client can delete your connection on Risk Ledger - just click the "Remove Client" button on the client overview page. Removing a client connection will have no impact on your connection with any other client who you are connected with on Risk Ledger.

Once a connection is deleted, your supplier profile will no longer be visible to that client. We do keep an audit log available for the client of the Risk Ledger assessment as it was at the point of deletion to ensure there is an audit trail.

Clients will invite their main point of contact at your organisation, which tends to be a commercial contact. Once signed up, you are able to add an unlimited number of users to collaborate on completing the assessment. The first person to sign up on behalf of your organisation and users with 'admin' status can invite all relevant colleagues to complete sections of the assessment relevant to their role and expertise. This usually includes colleagues from the information/cyber security, IT and information governance teams.

You can see the full list of controls and domains covered in the Risk Ledger assessment here to guide you on who may need to be added as a user from your organisation to collaborate on the assessment.

‍

We have designed the Risk Ledger platform to make it easier and faster to respond to client security due diligence and assurance assessments.

By allowing suppliers to create and manage an account on the platform, Risk Ledger gives you a user friendly way to complete, evidence and maintain a comprehensive security assessment once and then easily share it with any other client who requests information about your security programme - eliminating the need to repeat this task for every client. Read more about how Risk Ledger works for suppliers here.

Once your assessment is completed, the Risk Ledger platform facilitates easy private communication between you and your client(s) about your assessment, eliminating long and confusing email trails while keeping you up to date with the status of your assessment with each client you are connected with on the platform.

As a security focused business, it is really important to us that your organisation and personal details are kept secure when you use the Risk Ledger platform. Multi-factor authentication (MFA) is one of the best ways to do this for any user account. You can read a bit more about why this is important in this article by the National Cyber Security Centre.

Switch to an Authenticator app:

If you prefer not to use a mobile number once signed up, you are able to go to your account "Settings" > "My Account" > "Configure 2FA" and connect your chosen authenticator app to the account. See this article for a list of Authenticator apps.

The Risk Ledger supplier assessment looks at risk controls implemented on an organisational level so a new profile should only be created if the security regime and management of security controls differs substantially between related legal entities or product/service lines. If there are slight differences in the implementation of security risk controls across a portfolio of products/services or between legal entities, this can be recognised in the contextual notes section of your response for the relevant risk controls.

Example - Group organisation with multiple subsidiaries

If an organisation is structured as a Group with multiple subsidiaries, each subsidiary should be able to share the same assessment on Risk Ledger if the Group manages security centrally with a Group CISO and information security resources, reflecting the fact that the security regime and its management should be the same or significantly similar across the Group.

If the subsidiaries have autonomous or semi-autonomous security leadership and independent security regimes, each autonomous subsidiary or cluster of subsidiaries sharing the same security leadership should complete their own assessment on Risk Ledger to reflect their independent security posture.

Example - An organisation has a portfolio of different products and services

If all products and service lines are developed and delivered under the same or a very similar security regime, you should be able to maintain one Risk Ledger supplier assessment to share with clients using any of your products or services. Where there are slight differences in the risk controls and policies implemented in the delivery of different products and services, you can highlight this in the contextual notes of the relevant risk controls or in direct discussions with your clients on the platform.

If your products and services are developed in distinct security environments, you should complete a new supplier assessment on Risk Ledger for each distinct security environment.

If you are unsure on how to proceed, please don't hesitate to get in touch with us directly and we'd be happy to help.

Yes, you can quickly add users to your account. To add users you will just need the email address of the colleague you would like to add.

To add a user navigate to your account Settings > Users > Add Users

Avoid adding users via shared or group email accounts.

You can provide access to the platform for multiple users by adding each one using a direct email address.

The assessment autosaves so multiple users can collaborate on the assessment at the same time without losing any progress.

The assessment is not in a pass/fail format and your answers will be compared with your clients' security policies . This allows you and your clients to have greater visibility of any gaps and to work collaboratively to remediate them.

Additionally, if you do answer 'No' to a question, you are able to add context to this answer in the notes section.

If one of your clients do require remediation of a security control, they can request this through the platform and you will be notified.

Yes, Risk Ledger allows you to switch between a Supplier and a Client view, meaning that you can switch between sharing your own assessment and running assurance on your own Suppliers. Get in touch with the team to find out more!