Managing Supplier Risk
Surveys and reviews of information security incidents typically highlight third parties as being one of the major sources of issues and breaches (e.g. PWC Information Security Survey) and URM believes that many of these could be avoided by organisations improving their due diligence process. URM has repeatedly found that the due diligence process does not adequately cover the key information security risks introduced by working with a third party. Sometimes, this is due to information security risks not being adequately considered within the onboarding process, but often it is due to the due diligence process not taking account of changes within existing or approved third parties. Once a supplier has been approved, for example, it can expand its range and type of services or undertake organisational change and both can have a significant impact on information security risk. With this in mind, it is essential that any third party risk management process is continuous, whilst at the same time being manageable and not unduly onerous.
URM suggests the following to ensure that third-party risk is appropriately evaluated and treated:
- With limited resources being available to apply to any third party due diligence process, it is critical that a risk-based approach is adopted
- Start by segmenting your suppliers – e.g. by service type, criticality and the type of information they have access to
- Develop a tailored questionnaire – which is appropriate to the supplier (i.e. based on the services they provide to you and the potential impact they could cause). Tailored questionnaires with relevant succinct questions are far more likely to be completed than lengthy, time consuming, universal documents
- Review their responses – as only applicable questions are sent, take time to understand the controls a supplier has in place to determine if these meet your risk appetite
- Make risk-based decisions – work with your suppliers to improve controls or implement mechanisms internally to overcome any short comings. With critical providers, consider whether follow-up onsite audits need to be conducted.
- Establish timescales to ensure the review is not a one-off activity and agreed remediation is completed as agreed
- Communicate the due diligence process throughout the organisation and ensure the process ties into existing procurement processes.
To aid organisations, URM has developed a supplier risk management module within its Abriska portfolio, which is closely aligned to ISO 27036, the International Standard for managing third party information security risk. Abriska 27036 is a web-based software tool that automates the supplier questionnaire process and ensures a tailored questionnaire is sent out.