Supplier Due Diligence – do your existing suppliers take security seriously?
As businesses become more reliant upon their suppliers within the digital age, it is essential that these relationships are reviewed and monitored to ensure security is being addressed and improved.
Companies conducting new business will usually put their new suppliers through a vigorous due diligence process which can involve questionnaires, audits and requirements for adherence to frameworks like Cyber Essentials and ISO 27001 however this is not always the case for existing relationships, especially those that been connected with the company for a long time i.e. utilities and outsourced solution providers.
The ISO 27001 framework contains a whole section within Annex A dedicated just to supplier due diligence as looks for a process similar to the below:
For Cyber Essentials and Cyber Essentials Plus there is a requirement that all third-party suppliers that provide cloud/ shared services have had an independent audit and are able to provide evidence of their certification.
It is useful to use a checklist to ensure these steps are followed and all suppliers have completed the process. This requirement should be documented within the Supplier Security Policy and distributed to all staff members involved with third parties and it is also likely to contain the requirements of the employees and could also detail particular requirements for specific relationships.
If you would like to learn more about our services, please click here or contact us at marketing@2-sec.com or call our office on 020 7877 0060.
Written by E.Spenwyn