05) Does your organisation conduct security due diligence against suppliers before entering into a contract?
Answer yes if your organisation checks that each supplier has the required level of security in controls in place before it enters into a contract with them. The Risk Ledger platform can be used for this - get in touch!
Supply chain security is the process through which companies assess the security of their suppliers and gain assurance that they are secure enough to enter into business with.
The process is split into two parts. The first part is a criticality assessment of each supplier (control J3) which is done internally within the client company. This prioritises the suppliers and defines the level of controls that the supplier has to have implemented before data can be shared with them. The criticality assessment can be thought of as defining the ‘impact’ component of the risk of the supplier undergoing a security breach.
The second part is the security review of each supplier (control J5 and J6). This consists of engaging the supplier to complete a security assessment and then the subsequent marking of the assessment to gain comfort that the supplier has implemented an appropriate level of security controls. The security assessment can be thought of as the ‘probability’ component of the risk of the supplier undergoing a security breach.
Conducting Security Due Diligence
Assessing the security maturity of a supplier involves asking the supplier to provide proof of the security controls that they have implemented internally to mitigate against the risk of a security incident. This should be done just before the supplier is procured, known as security due diligence (control J5), and then repeated every year to ensure the supplier maintains compliance (security assurance, control J6).
This process is usually completed using a security questionnaire. The criticality of the supplier defines the level of controls that the supplier needs to implement – these requirements are documented in our supplier security policies (control J4). Once the supplier’s security maturity has been assessed and compared with our policies, we then either follow-up with remediation actions (if non-compliance has been found) or we can verify that the supplier has given us comfort that they have an acceptable risk appetite.
How to implement the control
For a free copy of the Risk Ledger security questionnaire and assurance tools, or for free advice on how to comply with this control, contact us at support@riskledger.com.
We recommend that you use Risk Ledger to comply with all of your supply chain security requirements. Contact us to onboard onto our platform and save yourself a tonne of time by never having to fill in another security questionnaire again!
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.
