06) Does your organisation conduct regular assurance activities against suppliers to ensure they are meeting their information security requirements?
Answer yes if your organisation checks that suppliers are continually meeting their security requirements whilst you are in contract with them, through regular assurance process (e.g. quarterly, annually). Please give details of your current process. The Risk Ledger platform can make this easier for you - get in touch!
Supply chain security is the process through which companies assess the security of their suppliers and gain assurance that they are secure enough to enter into business with.
The process is split into two parts. The first part is a criticality assessment of each supplier (control I3) which is done internally within the client company. This prioritises the suppliers and defines the level of controls that the supplier has to have implemented before data can be shared with them. The criticality assessment can be thought of as defining the ‘impact’ component of the risk of the supplier undergoing a security breach.
The second part is the security review of each supplier (control I5 and I6). This consists of engaging the supplier to complete a security assessment and then the subsequent marking of the assessment to gain comfort that the supplier has implemented an appropriate level of security controls. The security assessment can be thought of as the ‘probability’ component of the risk of the supplier undergoing a security breach.
Conducting Security Due Diligence
Assessing the security maturity of a supplier involves asking the supplier to provide proof of the security controls that they have implemented internally to mitigate against the risk of a security incident. This should be done just before the supplier is procured, known as security due diligence (control I5), and then repeated every year to ensure the supplier maintains compliance (security assurance, control I6).
This process is usually completed using a security questionnaire and repeated each year. The criticality of the supplier defines the level of controls that the supplier needs to implement – these requirements are documented in our supplier security policies (control I4). Once the supplier’s security maturity has been assessed and compared with our policies, we then either follow-up with remediation actions (if non-compliance has been found) or we can verify that the supplier has given us comfort that they have an acceptable risk appetite.
How to implement the control
For a free copy of the Risk Ledger security questionnaire and assurance tools, or for free advice on how to comply with this control, contact us at support@riskledger.com.
We recommend that you use Risk Ledger to comply with all of your supply chain security requirements. Contact us to onboard onto our platform and save yourself a tonne of time by never having to fill in another security questionnaire again!
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.
