05) Does your organisation conduct security due diligence against suppliers before entering into a contract?
Supply Chain Management Security Due Diligence
Written by Haydn Brooks
Created on March 18, 2019
Modified on September 19, 2019

Answer yes if your organisation conducts relevant security due diligence against each supplier that it works with. The Risk Ledger platform can be used for this - get in touch!

Supply chain security is the process through which companies assess the security of their suppliers and gain assurance that they are secure enough to enter into business with.

The process is split into two parts. The first part is a criticality assessment of each supplier (control L3) which is done internally within the client company. This prioritises the suppliers and defines the level of controls that the supplier has to have implemented before data can be shared with them. The criticality assessment can be thought of as defining the ‘impact’ component of the risk of the supplier undergoing a security breach.

The second part is the security review of each supplier (control L5 and L6). This consists of engaging the supplier to complete a security assessment and then the subsequent marking of the assessment to gain comfort that the supplier has implemented an appropriate level of security controls. The security assessment can be thought of as the ‘probability’ component of the risk of the supplier undergoing a security breach.

Conducting Security Due Diligence

Assessing the security maturity of a supplier involves asking the supplier to provide proof of the security controls that they have implemented internally to mitigate against the risk of a security incident. This should be done just before the supplier is procured, known as security due diligence (control L5), and then repeated every year to ensure the supplier maintains compliance (security assurance, control L6).

This process is usually completed using a security questionnaire. The criticality of the supplier defines the level of controls that the supplier needs to implement – these requirements are documented in our supplier security policies (control L4). Once the supplier’s security maturity has been assessed and compared with our policies, we then either follow-up with remediation actions (if non-compliance has been found) or we can verify that the supplier has given us comfort that they have an acceptable risk appetite.

How to implement the control:
For a free copy of the Risk Ledger security questionnaire and assurance tools, or for free advice on how to comply with this control, contact us at info@riskledger.com. We recommend that you use Risk Ledger to comply with all of your supply chain security requirements. Contact us to onboard onto our platform and save yourself a tonne of time by never having to fill in another security questionnaire again!

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.