Auditing your suppliers and ensuring that their business practices align with your own organisation’s compliance can be a daunting task – even for those with minimal supply chains. What if your supply partner is based in another country, or another continent? What if your supply partner requires you to go through bureaucratic hurdles and hoops so as to get them to fulfil your request? Where does one even start to question their suppliers?
The 2019 Cyber Security Breaches Survey shares a range of interesting comments from businesses as to why companies do not carry out supplier compliance requests. “Trust”, “lack of resources” and “lack of guidance/knowledge” seems to be the key takeaways as reasons for not carrying out checks and balances across the supply chains. Typical responses include;
We just trust them. They’ve been in business for a long time They run huge events. They are world renowned and respected. We have faith based on that.
You don’t know what to ask. I would just trust that my suppliers wouldn’t breach anything. So, it would help to get some guidance.
These were just some of the responses to this question in the survey. Below are a few tips to help organisations ask the right questions:
Tip 1: What Access Controls Are In Place?
How does your supplier prevent unauthorised access to information processed on your behalf, or exchanged between you and them? How do they audit access checks? What about Physical Access Controls? If they’re part of a larger organisation what controls are in place to prevent data being leaked to other units outside of what has been contracted?
Tip 2: Assessing Data Protection obligations.
What Data Protection Laws apply to the supplier who you are working with? What other laws does your supplier have to comply with in order to operate their business function?
Tip 3: Documenting any Accreditations/standards that the supplier conforms to.
For example, are the information security policies & procedures that your supplier conforms to in accordance to Information Security Management Systems as defined in ISO27001? (If so – when were they last audited?)
Tip 4: Revisiting your existing contract and wording.
Does it include specific Responsibilities and Service Level Agreements that the supplier will adhere to in the event of a security breach/compromise that affects information between them and your organisation?
Tip 5: Hiring & Training of Staff.
Is there a need for your supplier to carry out the same checks and balances as your organisation does with internal staff if those members of staff are working as your outsourced representative?
Of course, these are just a few suggestions and are designed to spark the conversation within your organisation. What also needs to be taken into consideration is how the organisation monitors its supply chain.
Martin De Bruin, CEO of Deslyon comments
The challenge faced by many organisations is that with new laws, regulations and an ever-changing compliance landscape, appropriate resource and expertise is needed in order to ask the right questions. For example, Accountability under the EU GDPR means that organisations must implement appropriate technical & organisation measures in order to fulfil their governance obligations.
To discuss how Deslyon can help your business deploy the appropriate technical & organisation measures, email firstname.lastname@example.org.