5 Mistakes Suppliers Make When Being Audited
More organisations than ever are conducting information security supplier audits to minimise their supply chain risk. Your organisation should be no different.
We have been involved in secure supply chain audits for over 20 years. Reviewing small SME’s to large managed service providers. Over this time there are 5 key mistakes that suppliers make -
Mistake 1 – Not seeing the audit as free security advice.
This is especially true for less experienced small SME supplying bigger business. There are two ways suppliers can see the audit 1) negatively, the customer is coming in find fault and catch us out or 2) positively, this is free security advice from a customer which may help us get better. If there are security weaknesses it’s in the interest of both parties to identify them, discuss them and agree a way forward.
Mistake 2 – Not completing the questionnaire as comprehensively as possible.
Customers undertake supplier audit typically by using a template questionnaire. This reduces the time required physically onsite, or the need to come onsite at all. This can only be good for both parties. Replying to stock questions with stock answer provides more confidence than one-word answers which makes you look unprepared or evasive.
Mistake 3 – Not being open and transparent
Auditors are trained and experienced, they know what they are looking for. If you know you have a weakness call it out and detail what actions you plan to take. No organisation operates without any information security risks.
Mistake 4 – Not being prepared on the common failings
There are a number of common failings that typically come up in a supplier audit. Here are just a few – Lack of security governance i.e. there is no clear management forum or support for information security, unsecured USB ports, unrestricted access to the internet by staff including social networks, data vaulting and webmail and undocumented policy or procedure such as incident management and information classification.
Mistake 5 – Not considering ISO27001 certification
ISO 27001 is the security standard to which third parties are typically reviewed against. It is not a technical standard; it’s a management standard, which is misunderstood in industry. Typically organisations say they align or comply with ISO27001 but very few organisations have gone for full certification. It’s seen, wrongly, as expensive and to higher standard to achieve. Certification significantly reduces the burden of audit on your business by your clients, resulting in significant cost savings in time and effort for both parties.
Questions your C-Suite should ask your CISO – How may supplier audits do we get a month\year? Do we have standardised answers to their questions? Whats our level of conformance to ISO27001? Why are we not going for Certification?