With the disclosing of data privacy breaches becoming more common in mandatory legislation, there is an understandable trend of organisations looking to their supply chain for assurances in the data privacy measures they offer.
In my latest blog post, I provided guidance on how to validate an ISO 27001 compliance claim by a vendor. Following the publication of that post, I received another good question on supply chain assurance from an attendee on the ISO 27001 Certified Lead Implementer Masterclass, asking about the alternative means of addressing security assurances from suppliers …
One of the challenges of supply chain assurance is to strike the right balance between the extent of assurance provided and the costs of achieving them. A number of options exist:
Terms and conditions
Simply adding a confidentiality clause into a contract is the most cost-effective of options beyond the ill-informed ‘do nothing’. The downside to this is that it is about as effective as a software licence for a home user. Experience suggests it is doubtful your supplier reads, understands and then complies with the requirements.
Most suppliers, as well as users, fall at the first hurdle. Either they are blinded by the financial reward, or (in the case of the domestic user) are overrun with the desire to utilise the game or software and hence fail to take note of the obligations they are committing to let alone actually putting measures in place to observe them.
The quality and assurance provided by supplier questionnaires vary greatly; from the simple check-list approach that enquires whether a (potential) provider ‘does’ x, y or z, through to requiring a description of how x, y or z is implemented. In a couple of very unusual cases, the claims the supplier makes require evidence to be provided in order to give weight to the responses. This approach requires more time and effort from the client than simply relying on the contractual terms and conditions. The client has to develop the questionnaire and ideally has to read and analyse the response, whereas the supplier is expected to invest time and effort in completing and returning the questionnaire. Whatever the extent and focus of the questions, the whole approach is reliant upon the supplier being transparent and open – again, experience suggests some are susceptible to inaccuracy as a result of the potential rewards.
The ‘Rolls Royce’ of assurance, with the associated costs. Not only does the customer need to develop, or buy-in the expertise and resource required to conduct an audit, but the supplier has to offer up suitable interviewees to respond. There is little doubt that this offers the client the greatest insight into how the supplier is to look after and care for the information with which it is entrusted, but also costs what in most cases is a prohibitive amount.
Audit/certification to a recognised standard by a recognised third party
The medium position that many favour is the use of a widely-recognised scheme that relies on an independent organisation auditing the potential supplier to a recognised standard and, if they deem the potential provider complies with the particular standard, awarding a certificate that says so. What is more, the ‘independent organisation’ is subject to an audit themselves to ensure they are playing by the accepted rules; in this case, the world-wide recognised accredited certification scheme. Cost wise, the supplier bears the brunt. However, they can use the single certification to appease most of their clients and potential clients with only a small proportion wanting further information.
While there may be some problems with this too – the variability of the auditors that work for the audit bodies, various interpretations of the standard and a common misunderstanding of what ‘accredited certification’ actually means – undoubtedly there will be a degree of assurance and it provides a framework for further communications and discussions.
Regulators are increasingly using national and international standards (e.g. ISO 27001, ISO 22301, ISO 9001, ISO 5001, ISO 20000, ISO 38500 etc.) and the relative economy of requiring accredited certification as a means of controlling practices in their sector. Once there is an influential minority that has adopted a standard in any one sector, it rapidly moves to become the ‘qualifier’ for trading.
Of course, accredited certification can’t be achieved overnight – the fact that it means something reflects that it takes time to earn. There will always be those offering an empty badge that is not part of a recognised scheme, but those that put weight on the scheme are becoming wiser and know what to look for.
If you need help with supply chain assurance or are looking to achieve certification to an internationally recognised standard, contact the IT Governance Consultancy team on +44 (0) 845 070 1750 or by email to firstname.lastname@example.org.