5 Steps to Improve Your Supplier Information Security Risk Management


It is argued that your security is often only as good as your suppliers and other providers in your supply chain.   Suppliers pose a significant risk to your organisation’s information security posture.  If suppliers have access to your sensitive information including personally identifiable information (PII)  and do not have adequate security controls and practices in place, they could accidentally or deliberately expose your information to unauthorised parties.  And, in terms of adequate, it is your definition of adequate, based on your risk appetite, not what your suppliers deem to be appropriate.   There is also the additional threat that if your suppliers’ systems are compromised, it could lead to your systems and information being compromised

As such, it is essential to thoroughly assess the information security and data protection risks attached to your various suppliers and to implement adequate measures to mitigate the associated risks.  You need to decide, based on the information a supplier has access to or processes on your behalf, what controls you expect them to have in place.  Managing information security and data protection risks from suppliers and the supply chain can be a complex task, but there are a number of actions you can take in mitigating any risks.  

In this webinar, we will present and discuss 5 key steps you can take to improve your supplier risk management.

  • Categorise Suppliers Based on Risk: It is important to recognise that not all suppliers are the same and that they need to be categorised based on the sensitivity of the data they handle or have access to and the potential impact on your organisation if a breach occurs.  URM will advise on how to consider categorising suppliers, which will help you determine the appropriate level of due diligence, monitoring and auditing required
  • Conduct Supplier Due Diligence:  The initial due-diligence assessment of potential critical suppliers is absolutely key in evaluating their policies, procedures, and controls.  The pros and cons of using tools will be discussed
  • Introduce Contractual Safeguards: URM will discuss some of the clauses you need to include within supplier contracts and agreements, including suppliers needing to conform or certify to ISO 27001and demonstrate GDPR compliance, as well as agreeing to conform with audit rights and incident response protocols
  • Carry out Regular Audits: Having identified and assessed your most critical suppliers, it is imperative you regularly audit them to ensure they are meeting any specified contractual requirements.  URM will discuss aspects that you should be auditing e.g., penetration test reports
  • Develop and Exercise Incident Management Plans: It is recommended that you develop and exercise incident management plans and where appropriate involve the most critical suppliers in those exercises.  We will provide some ideas on scenarios you may want to use in your exercises.

Register for the event

Please note, we can only process business email addresses.

Did you miss the live event? Do not worry. We have recorded the webinar for you. Please register using the form below and we will provide you with the link to the recorded webinar when ready.

Did you miss the live event? Do not worry. We have recorded the webinar for you. Please watch the introduction to the webinar below. For the full recording please register using the form below the video.

Register to watch recording

Please note, we can only process business email addresses.