What is the Purpose of Abriska 27036?
In URM’s experience, organisations often struggle with the challenge of conducting supplier due diligence when faced with assessing a wide and diverse range of suppliers and partners. Frequently, a single ‘one size fits all’ questionnaire is sent to all suppliers, irrespective of how critical that supplier is. By utilising a single, common questionnaire it is inevitable that it will lack the required detail for critical suppliers and will be too detailed and inappropriate for low-risk suppliers.
The purpose of Abriska 27036 is to help you improve both the effectiveness and efficiency of your supplier information security due diligence process. This is achieved by providing you with the capacity to tailor your question set and ask more in-depth questions of suppliers who have access to more sensitive or critical information. The core set of questions that form the due diligence have been developed by URM’s team of information security and data protection practitioners and are closely aligned to both ISO 27001 and ISO 27036*.
Another aspect of supplier due diligence that can be particularly challenging is the administrative overhead involved in sending out questionnaires, chasing for responses and then conducting the initial triage of responses. Abriska is adept at carrying out these activities and with the initial triage can add value by adding further weight to certain questions.
* a multi-part International Standard which provides detailed implementation guidance on such controls.
What Type of Organisation is Abriska 27036 Particularly Suited to?
Abriska 27036 is the ideal Web-based tool for any organisation which has a range of suppliers, some of which have direct or indirect access to its information and information systems, and any organisation which is looking to improve both the effectiveness and efficiency of its supplier due diligence processes. Abriska will enable your organisation to improve the effectiveness by categorising and tailoring its assessment of suppliers and improve efficiency by automating the distribution and analysis processes. The tool is also ideally suited to those organisations looking to comply with the supplier relationship controls of ISO 27001.
What are its Key Features?
- Supplier risk management dashboard – managing all suppliers through a single register
- Customised questions based on business needs and the role of supplier/partner and adding branch questions as required
- Categorised question sets to ensure suppliers are asked questions relevant to the service they are providing
- Suppliers can also be allocated to a critical category based on the information they process – the higher-risk category suppliers can then be asked more comprehensive and searching questions
- Supplier questionnaires are generated by Abriska and managed through the user interface. Suppliers can share the questionnaire (within their organisation/domain) to gather all the relevant information from different areas of the organisation.
- Questions are weighted according to sensitivity and relevance, and a risk score can automatically be generated once the third party has completed the questionnaire (any free text questions will require some organisational input to score the reply)
- Reminders and chasers can be configured and sent automatically as required.
- Provides management with concise supplier reports
- Documents can be uploaded to support answers (policies, processes, proof, certificates, etc.)
What are its Benefits (Viz-a-Viz Competitors)?
One of Abriska 27036’s unique and compelling attributes is its ability to precisely target the information you need from third parties in order to better determine what risks they pose/ present to your organisation. Whilst pre-populated with a set of best practice questions by URM’s consultants, you are able to add, subtract or tailor questions according to the service provided, e.g. PII, financial, IP related. In addition, you have the capability to weight questions according to importance of specific controls. Abriska is also particularly effective in automating the distribution of questionnaires, chasing for responses and then completing the initial triage. All suppliers are managed through a single risk register giving management full oversight of every supplier and their levels of risk to the business. Abriska has the capacity to present information graphically, so providing management with data which is concise and can be easily absorbed. Parameters are configured at the beginning of Abriska’s set up to ensure the whole organisation adopts the same approach and scoring method for third parties, ensuring the consistency and quality of results.
How Does Abriska Work?
Abriska comes pre-populated with a core set of questions which are aligned with the controls of ISO 27001 and which have been augmented with additional questions devised by URM’s senior information security and data protection consultants. Abriska enables ‘categories’ be set up within Abriska according to the type and sensitivity of information and/or information systems which suppliers and third parties have access to, e.g. hard copy vs electronic information or PII, or financial information. As such, when you are carrying out your due diligence on new suppliers, you can assign them to different categories so they will then only receive a specific set of targeted and relevant questions. With Abriska, you not only have the flexibility to select the number and type of questions (closed, open etc), but also the depth of questions (e.g. branch questions). Furthermore, you have the ability to apply greater ‘weighting’ to questions and controls which are more important. The end result is that each respondent will receive an appropriate set and number of questions. Once the questionnaire and weighting has been determined, the supplier is sent an introduction email in order to determine who will be responsible for completing the assessment questionnaire. Once the respondent is provided with access to the questionnaire, the relationship manager has oversight of the progress being made in completing the questionnaire and can chase if necessary. Once completed, any manual assessment of free text questions (if required) can be made by the relationship manager and an overall risk score can be generated. From here, you can decide on your risk treatment options and create any actions for either you or the supplier.
How Does it Assess Risks?
With an Abriska 27036 questionnaire, there are a number of features which enable you to conduct tailored risk assessments according to the sensitivity of information third parties have access to. Firstly, you can target the subject area when setting questions and ask as many questions as you feel is appropriate. You can also apply greater weight to certain questions and responses e.g. is your organisation certified to ISO 27001? Once all the questions have been completed, the individual weighted questions can be added together for an aggregate % risk score which can then be compared against your risk appetite for that category of supplier.
How Does it Treat Risks?
Risks are treated and tracked in line with the organisation’s risk acceptance criteria. Most red risks are not acceptable and must be treated in all organisations. Risk actions are then created against the supplier; this could result in an action for the supplier to implement or improve an information security control, e.g. technical, people or policy/process based. Alternatively, it could mean your organisation may need to find a new supplier if the current supplier is not viable. The treatment of these risks can also mean that risk assessment (completion of the questionnaire) needs to be conducted more frequently to ensure the supplier has made the required improvements.
What are the challenges of information security supplier risk management and supplier due diligence?
As we process more and more information be that client, financial, product or HR, we find ourselves increasingly dependent upon suppliers and other third parties. Such parties may have either direct or indirect access to our organisation’s information and information systems, or may be providing software, hardware, processes or human resources that will be involved in information processing. So, when you assess the security and the privacy of your information, you need to ensure you fully assess the risks posed by suppliers and others. As with the adage ‘you are only as strong as your weakest link’, suppliers may well represent your greatest vulnerability. As such, the supplier due diligence aspect of risk management is absolutely paramount in ensuring that your suppliers have the required and appropriate measures in place for information security, privacy and data protection. One of the key challenges in conducting supplier due diligence, however, is ensuring that your assessment (often in the form of questionnaires) is tailored to the role of that supplier or third party and what information they have access to. Many organisations use the same questionnaire for all suppliers. This results in something which is overkill for low-risk suppliers (e.g. suppliers of office stationery) and not sufficiently detailed for a high-risk supplier or partner (e.g. new hosting provider).
How can supplier risk management software or tools help?
Supplier risk management software can help organisations to automate the due diligence and monitoring tasks and be able to centralise risk management in one place. In addition, risk management processes can be streamlined and efficiency can be significantly improved, particularly in repetitive and time-consuming administrative tasks. Reporting is another area where risk management software can dramatically reduce the time and effort involved.
More about Abriska
Risk Management Training
More about Supplier Risk Management
Our office is open 08:00 – 17:30 Monday to Friday.