What is the Purpose of Abriska 27036?
In URM’s experience, organisations often struggle with the challenge of conducting supplier due diligence when faced with assessing a wide and diverse range of suppliers and partners.
Frequently, a single ‘one size fits all’ questionnaire is sent to all suppliers, irrespective of how critical that supplier is. By utilising a single, common questionnaire it is inevitable that it will lack the required detail for critical suppliers and will be too detailed and inappropriate for low-risk suppliers.
The purpose of Abriska 27036 is to help you improve both the effectiveness and efficiency of your supplier information security due diligence process. This is achieved by providing you with the capacity to tailor your question set and ask more in-depth questions of suppliers who have access to more sensitive or critical information.
The core set of questions that form the due diligence have been developed by URM’s team of information security and data protection practitioners and are closely aligned to both ISO 27001 and ISO 27036*.
Another aspect of supplier due diligence that can be particularly challenging is the administrative overhead involved in sending out questionnaires, chasing for responses and then conducting the initial triage of responses.
Abriska is adept at carrying out these activities and with the initial triage can add value by adding further weight to certain questions.
* a multi-part International Standard which provides detailed implementation guidance on such controls.
What Type of Organisation is Abriska 27036 Particularly Suited to?
Abriska 27036 is the ideal Web-based tool for any organisation which has a range of suppliers, some of which have direct or indirect access to its information and information systems, and any organisation which is looking to improve both the effectiveness and efficiency of its supplier due diligence processes.
Abriska will enable your organisation to improve the effectiveness by categorising and tailoring its assessment of suppliers and improve efficiency by automating the distribution and analysis processes. The tool is also ideally suited to those organisations looking to comply with the supplier relationship controls of ISO 27001.
What are its Key Features?
Supplier Risk Management Dashboard
Managing all suppliers through a single register
Customised questions based on business needs and the role of supplier/partner and adding branch questions as required
Sets to ensure suppliers are asked questions relevant to the service they are providing
Critical Category Allocated Based on Processed Information
Suppliers can also be allocated to a critical category based on the information they process – the higher-risk category suppliers can then be asked more comprehensive and searching questions
Supplier Questionnaires Generated and Managed Through the User Interface
Supplier questionnaires are generated by Abriska® and managed through the user interface. Suppliers can share the questionnaire (within their organisation/domain) to gather all the relevant information from different areas of the organisation
Questions Accordingly Weighted to Sensitivity and Relevance
Questions are weighted according to sensitivity and relevance, and a risk score can automatically be generated once the third party has completed the questionnaire (any free text questions will require some organisational input to score the reply)
Reminders and Chasers
Reminders and chasers can be configured and sent automatically as required
Provides management with concise supplier reports
Upload Documents Freely
Documents can be uploaded to support answers (policies, processes, proof, certificates, etc.)
What are its Benefits?
- Proven and Robust – One of Abriska 27036’s unique and compelling attributes is its ability to precisely target the information you need from third parties in order to better determine what risks they pose/ present to your organisation.
- Consistent and Repeatable – The tool is designed with best practise in mind by URM’s consultants allowing customisation on questionnaires, categorisations and associated methodology. The system comes pre-configured with defaults to guide the user.
Abriska also has the capacity to present information graphically, so providing management with data which is concise and can be easily absorbed.
- Cost and time saving – Abriska is particularly effective in automating the distribution of questionnaires, chasing for responses and then completing the initial triage. All suppliers are managed through a single risk register giving management full oversight of every supplier and their levels of risk to the business.
How Does Abriska Work?
Abriska comes pre-populated with a core set of questions which are aligned with the controls of ISO 27001 and which have been augmented with additional questions devised by URM’s senior information security and data protection consultants.
- Abriska enables ‘categories’ be set up according to the type and sensitivity of information and/or information systems which suppliers and third parties have access to, e.g. hard copy vs electronic information or PII, or financial information.
As such, when you are conducting your due diligence on new suppliers, you can assign them to different categories so they will then only receive a specific set of targeted and relevant questions.
- You not only have the flexibility to select the number and type of questions (closed, open etc), but also the depth of questions (e.g. branch questions). Furthermore, you can also apply greater ‘weighting’ to questions and controls which are more important.
- The end result is that each respondent will receive an appropriate set and number of questions. The relationship manager has oversight of the completion of the questionnaire and can chase if necessary.
- From here, you can decide on your risk treatment options and create any actions for either you or the supplier.
How Does it Assess Risks?
With an Abriska 27036 questionnaire, there are a number of features which enable you to conduct tailored risk assessments according to the sensitivity of information third parties have access to.
Firstly, you can target the subject area when setting questions and ask as many questions as you feel is appropriate. You can also apply greater weight to certain questions and responses e.g. is your organisation certified to ISO 27001?
Once all the questions have been completed, the individual weighted questions can be added together for an aggregate % risk score which can then be compared against your risk appetite for that category of supplier.
How Does it Treat Risks?
Risks are treated and tracked in line with the organisation’s risk acceptance criteria. This score is colour coded according to your predefined risk appetite, e.g., a red, amber or green rating.
A risk treatment decision (e.g., whether to reduce, accept, avoid or transfer the risk) is then recorded and appropriate actions can then be entered into the system; this could result in an action for the supplier or an individual within the organisation to implement an improvement.
The treatment of these risks can also mean that a risk assessment (completion of the questionnaire) needs to be conducted more frequently to ensure the supplier has made the required improvements.