With data security concerns moving to the top of the corporate risk agenda, organisations are seeking better ways of controlling the key security risks in their supply chain. This is especially true for complex supply chains, which can span multiple countries and continents. One of the challenges of supply chain assurance is to strike the right balance between the extent of assurance and its cost.
One of IT Governance’s directors, Steve Watkins, takes stock of the options for effective supply chain assurance:
- Terms and conditions
Simply adding a confidentiality clause into a contract is the most cost-effective of options beyond the ill-informed ‘do nothing’. The downside to this is that it is about as effective as a software licence for a home user. Experience suggests it is doubtful your supplier reads, understands and then complies with the requirements.
Most suppliers, like users, fall at the first hurdle. Either they are blinded by the financial reward, or (in the case of the domestic user) they are overrun with the desire to use the software and fail to take note of the obligations they are committing to, let alone actually putting measures in place to observe them.
- Supplier questionnaire
Supplier questionnaires vary greatly – from the simple checklist that enquires whether a (potential) provider ‘does’ x, y or z, through to requiring a description of how x, y or z is implemented.
In only a few very unusual cases is the supplier required to provide evidence for their claims in order to give weight to the responses.
This approach requires more time and effort from the client than simply relying on the contractual terms and conditions. The client has to take the time to develop the questionnaire and, ideally, has to read and analyse the response every time it is completed, while the supplier is expected to invest time and effort in completing and returning the questionnaire.
Whatever the extent and focus of the questions, the whole approach relies upon the supplier being transparent and open. Again, experience suggests that some are susceptible to inaccuracy as a result of the potential rewards.
- Supplier audits
The ‘Rolls Royce’ of assurance, with the associated costs. Not only does the client need to develop or buy in the expertise and resource required to conduct a full-scale audit, but the supplier has to offer suitable interviewees to respond.
There is little doubt that this offers the client the greatest insight into how the supplier will look after the information with which it is entrusted, but it also costs the client what is, in most cases, a prohibitive amount.
- Certification to a recognised standard by an independent third party
The intermediary position that many favour is the use of a widely-recognised scheme that relies on an independent organisation auditing the potential supplier to a recognised standard and, if they deem the potential supplier complies with the particular standard, awarding a certificate that says so. What is more, the ‘independent organisation’ is subject to an audit itself to ensure it is playing by the accepted rules; in this case, the worldwide accredited certification scheme.
Cost-wise, the supplier bears the brunt. However, they can use a single certification to appease most of their clients and potential clients.
Regulators are increasingly using national and international standards like ISO 27001 and the relative economy of requiring accredited certification as a means of controlling practices in their sector. Once an influential minority adopts a standard in any one sector, it rapidly moves to become the ‘qualifier’ for trading.
Of course, accredited certification can’t be achieved overnight – it means something because it takes time to earn. There will always be those offering an empty badge that is not part of a recognised scheme, but those that put weight on the accredited scheme are becoming wiser and know what to look for.
How IT Governance can help
IT Governance is a leading global provider of ISO 27001 consultancy, training, tools and resources. We advise global businesses on their most critical issues and present cost-saving and risk-reducing solutions based on international best practice and frameworks.
Our unique combination of technical expertise and a solid track record in international management system standards means we can deliver a complete solution and manage the project from start to finish.
Our team has led ISO 27001 implementations since the inception of the Standard, when two of our directors led the world’s first successful certification of an ISO 27001 ISMS. To date, we have helped more than 400 companies achieve certification.
Let’s work together to get things moving
Whatever the nature or size of your problem, we are here to help. Request a call and one of our experts will get in touch as soon as possible.
Blog post adapted from an original post written by Steve Watkins.