The Centauri Step, Governance and IT Security

3 keys to get started | The Centauri Step, Governance and IT security

Three Keys to Getting Started with Supplier Reviews

Marion Mellor

If you only need to remember the essentials about a Supplier Review, and be up and running quickly, this page is for you!

The supplier risk study is carried out as soon as the project is launched, the invitation to tender is sent out or the contract is envisaged.

It therefore requires a real relationship of trust between the project managers and the Purchasing department and regular meetings. These enable future contracts to be anticipated, new commercial relationships to be envisaged or new partners to be sought (“sourcing”).

During the due diligence phases, the security teams are critical: they will determine whether the supplier has the capacity to implement the security and control measures required to fulfill the contract.

A safety review in two words? It is not an audit, it is simply a simplified verification of the security measures and controls in place at the supplier.

1- Determine the criticality of the service concerned: Internal questionnaire

As Security must remain very close to the Purchasing department, it is also essential to be in contact with the project managers. They are in the best position to explain the conditions of the service provided: is it an “on-premise” software? A SaaS service? An intellectual service? A brokerage agreement? What type of service? Will the supplier have access to a machine / computer lent by the company? What is the access to the premises? etc.

Determine the format of your questionnaire.

  1. A good benchmark: the duration. The interview with the “Business” project manager who initiated the contract request should not exceed 15 minutes.
  2. After this interview, your security expert should be able to calibrate the criticality of the service. For example, you can determine a number of levels that will affect the degree of analysis to be performed on the supplier.
  3. The degree of analysis Security will certainly be different depending on whether it concerns a service of watering plants in the company’s lobby, or a contract of subcontracting of pay slips.

2- Adapting a security questionnaire: External questionnaire

The security expert therefore sends a questionnaire to the supplier. For example, for an external consultant, there is no need to ask about SDLC standards for secure software development.

It is necessary to adapt questionnaires according to the criticality of the service. You will go faster in the analysis: you will be able to send targeted questions, to be relevant on the security controls.  

Two key words in these reviews: trust and transparency. Trust with the Buyers in order to be in tune and send the supplier a questionnaire in line with the links already established. Transparency so that these relationships and this review are announced and supported by the company.

I’ll give you a tip: the security expert sends the security due diligence questionnaire directly, as these two parties will be in contact. 30 minutes on the phone is better than being used as a passkey.

3- Analyze the evidence

Before this step, you should ask for proof: trust and transparency, once again. If the supplier refuses to transmit them by email (or by secure file transfer tool), it is always possible to review them by video conference. You can make “screen prints” and certify in your security report that you were able to read the evidence. You still need to ask your service provider for time to be available.

Once the responses to the questionnaire are received, they should be examined twice, first for consistency and then for evidence to support those responses.

Obviously, an ISO 27001 certified provider will often be more willing to share certifications, statements of applicability or other external audit reports. But depending on the criticality of the service, other evidence is essential, such as access management procedures for SaaS services, HR procedures for background checks, or examples of security training completed (or not) by your provider’s employees.

Elsewhere, we discuss the form of the validation report for this Safety Review …