Last Updated on July 23, 2019
How do you really know your highest-risk vendors are doing what they say they’re doing, security-wise—especially if it involves meeting your specific requirements? Do you insist on the right to audit vendors? If so, do you have the skills and technology savvy to do it? Or do you rely on them having a SOC 2 and ISO 27001 certification, or even just a self-report?
Not trying to be cynical (or maybe I am), but things like policies, self-reports, third-party attestations or even contracts are only as good as the real-world operational workflows they are intended to drive. If you have security requirements you put in place contractually with a vendor, do you have tangible assurance they are being addressed operationally? Or are you just going on faith?
“The point here is, if done right, an audit should be a win-win scenario.”
I know from experience even when intentions are the best on both sides, there are times during implementation or audit activities where the discussion turns to contractual obligations and the people responsible for implementing them aren’t 100% sure these are being met. Promises may have stopped short of action, in other words.
I strongly advocate that clients put “right to audit” clauses (as well as other security-related language; e.g., regarding breach notification) into their vendor contracts as a matter of due diligence. I know most of them never exercise that right because they don’t have the time, money or skills. But if a relationship is important enough, auditing a vendor yourself is well worth it.
Here are four reasons why:
Reason 1: It reduces business risk.
When you see for yourself whether vendors are addressing your security requirements, you’ll either validate that all is well or recognize that your concerns were valid and a risk to your business that you thought was mitigated was not. At that point you can either get the vendor to strengthen their controls, or find a more secure company to partner with. Either way, your actual business risk and associated liability is reduced.
Reason 2: It strengthens vendors’ controls.
We all know that kids and dogs that are being watched behave better. Vendors are no different. An organization that knows it could be audited has more motivation to ensure that it is in compliance with contracts. As a result, it will have a stronger security posture.
Reason 3: It helps strengthen your contracts.
After auditing one or more vendors, or even contemplating how you would approach that, you might see some things you’d want to change when it’s time to renew a contract. Maybe the process reveals issues you hadn’t considered before. Or maybe you see security shortcomings you want addressed. Either way, you’re poised to improve your contracts and hopefully your overall security posture.
Reason 4: It helps strengthen relationships.
When you audit a vendor you come to understand their business and environment better. Often you come to trust them more. You’re less likely to replace a vendor that you know is working hard to meet your needs. Similarly, a vendor you’ve audited is more aware of your concerns and more likely to put attention on them going forward. The point here is, if done right, an audit should be a win-win scenario.
A certain amount of information security risk associated with outsourcing is almost unavoidable in today’s interdependent business environment. But with more effective third-party risk management, including auditing high-risk vendors, you can rest assured that your sensitive data is secure even when you need to share it.
To talk with an expert about your third-party risk concerns, including auditing vendors and strengthening contracts to include “right to audit” and other security-related clauses, contact Pivot Point Security.
ISO 27001 is manageable and not out of reach for anyone! It’s a process made up of things you already know – and things you may already be doing.
Get your ISO 27001 Roadmap – Downloaded over 4,000 times