Welcome to the Wiki of Compleye Online

Suppliers Assessment

Supplier Assessment is very important topics in ISO 27001. Especially for Technology Companies – as they are making use of so many suppliers, and sometimes they are not aware of it. You will need to be in control of your supplier – assess the high risk suppliers on a yearly base on a number of topics. You will need to review all suppliers on basic information and contract.

We already have a number of controls in place.

In Step 1, we have started with an overview of all Suppliers.  [link to Supplier Overview]  and we also have and in section Software Access, you can add that supplier has access to certain software.

Next to that in the Templates section- you can find the Supplier Management Procedure. In this Procedure we have defined a process that is supported by Compleye Online sections: Sections Supplier Overview and Supplier Assessment. The owner of the Supplier will need to perform the actual assessment. Multiple owners can be involved in these assessment, every owner will need to read this wiki and follow the steps.

First  : Read the Supplier Management Procedure – and customize if needed (we do not advise you too). Approve it and add the final version (pdf) to the feature Procedure/Info.

Next: Check if you have added all information on the Supplier Overview and that you have profiled them (low, medium and high) on Security and Business Continuity. It is for ISO 27001 – not needed to profile the Quality. If all the information is added – Compleye Online selects automatically all suppliers that have a High Risk in their profile. All these suppliers are already visible in this section. You can add more suppliers – if you think it is important to assess them – by Add New (dropdown list of all suppliers from suppliers overview).

Final: When selecting a supplier you can use the yellow button Edit (top right corner) to start the actual assessment.The first choice you will have to make is defining if the supplier is ISO 27001 certified themselves. Depending on the choice, you will get different questions for assessment. Particularly for High Risk Suppliers – we advise only to work with ISO 27001 certified companies, otherwise you will need to perform extra checks and be even more in control. However if you work closely with suppliers and know them very well, it is easy to be more in control. On the top right box you can find the information of the supplier from the Supplier Overview you will have access to all information. So it will be more easy to fill in the actual assessment.

Now you will need to start working, by filling in all information. (see below) Helper buttons in place for support. You will do a number of checks and will end with defining the residual risk and perhaps come up with some improvements. Make sure you have addressed all the High Risk Suppliers that are assigned to you as an owner. Plan a meeting  with C-level (or someone else from ISMS team) to evaluate the risk and improvement. That person will approve the the residual risk (with or without the improvement) and sign off – by making use of the Reviews & Approval of Residual Risk. Now you have finalized the supplier assessment – Congrats!!! this is a big step in being more in control of potential huge risks. Do not forget to add the improvements in the Improvement section .

 
 
 
 

Suppliers listed will already have some information pre filled with the Supplier Overview data, To perform the assessment click on edit (upper-right corner) and you will be prompted with 2 sets of questions based on your first selection – is the supplier ISO27001 certified or not.  

Example 1 – High Risk Supplier ISO27001 certified 

  

FieldName 

Value / Description 

Example 

supplier:  

free text / prefilled 

AWS 

Is ISO27001 certified: 

yes / no 

select yes 

Review the SoA: 

free text field. [to confirm that you have retrieved and reviewed the latest Statement of Applicability from the supplier] 

SoA – attached in Supplier Overview 

Cross Reference with SoA 

free text field – check if all your outsourced jobs to this supplier are showing in scope on their SoA 

All outsourced jobs are in scope with AWS 

How is communication with supplier organized 

free text field – Indicate who is the person /department responsible for communicating with the supplier and specify the most used communication channel. 

We have direct contact person – for our CTO. Communication takes place over the email.  

Is supplier involved in procedure? 

free text field – confirm if the supplier either contributes to, participates in or plays a key role in the organization procedural documents. If so, confirm if such procedures have changed in the last 12 months and if the supplier has been informed about such changes when necessary  

no direct involvement

Was the supplier involved with incidents?  

free text field – confirm if in the last 12 months the supplier has been involved in the either technical or privacy incidents and/or (quality) complaints recorded by the organisation. Describe the impact and CAPA in place.  

0 incidents in AWS environment this year  

Business continuity controls in place  

free text field – confirm if the supplier has an effect on the business continuity control measure. If so, what are the identified risks and the implemented preventive controls? 

Scaling services for additional data are in place. With automatic email confirmation.  

Quality performance controls in place  

free text field – Confirm if the supplier influences the quality of product or services provided by the organization. If so, indicate the implemented controls to maintain and preserve the quality of products/services  

no 

Define residual risk  

Taking into consideration the above defined controls and measures, please define the residual risk  

Residual risk is the result from annually performing PEN test on vulnerabilities on AWS 

Suggested improvements 

If required, indicate the improvements that should be adopted to improve the implemented controls and measures to manage and oversee the ongoing relationship with the supplier 

for next year we will need to improve our access management policy for AWS 

  

Example 2 – High Risk Supplier ISO27001 is NOT certified 

  

FieldName 

Value / Description 

Example 

supplier:  

free text / prefilled  

Hotjar 

Is ISO27001 certified: 

yes / no – this value is linked to supplier overview section as well, so by changing this value here it will be changed in Supplier Overview as well 

selected – no 

How is communication with supplier organized? 

free text field – Indicate who is the person /department responsible for communicating with the supplier and specify the most used communication channel. 

There is no direct contact – via online helpdesk  

Reason supplier is not (yet) ISO27001 certified 

free text field – provide the reason the supplier has not received the ISO27001 certification 

I don’t know 

Review contract / SLA 

free text field – confirm if the Contract / SLA executed with supplier was reviewed prior to signing taking into account the relevant Security, Quality and Business continuity factors. Review annually the contract / SLA, are there any changes that might have impact on security, privacy and/or quality? 

SLA in place – online with KPIs 

Review DPA 

free text field – if the DPA is in place, confirm if DPA has been reviewed and whether the ISO27001 standards or similar are adequately addressed/included  

N/A 

Is security policy in place? 

free text field – Conform if the security policy is in place. Add the copy of the document to the supplier overview. Is this policy sufficient for its purpose?  

not available 

Is supplier involved in procedures? 

free text field – confirm if the supplier either contributes to, participates in or plays a key role in the organisation procedural documents. If so, confirm if such procedures have changed in the last 12 months and if the supplier has been informed about such changes when necessary  

no 

Was the supplier involved with incidents? 

free text field – confirm if in the last 12 months the supplier has been involved in the either technical or privacy incidents and/or (quality) complaints recorded by the organisation. Describe the impact and CAPA in place. 

no 

Data security controls in place 

free text field – confirm if the supplier has been given access to the information and/or data held by the organization. If so, please confirm the adapted access management controls and whether the process was embedded in the access management policy.  

AFTER 

Business continuity controls in place  

free text field – confirm if the supplier has an effect on the business continuity control measure. If so, what are the identified risks and the implemented preventive controls? 

we can easily change this supplier 

Quality performance controls in place  

free text field – Confirm if the supplier influences the quality of product or services provided by the organization. If so, indicate the implemented controls to maintain and preserve the quality of products/services  

not 

Define residual risk  

Taking into consideration the above defined controls and measures, please define the residual risk  

no risk 

Suggested improvements 

If required, indicate the improvements that should be adopted to improve the implemented controls and measures to manage and oversee the ongoing relationship with the supplier 

no improvement 

  

Was this article helpful?
0 out of 5 stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?
Please submit the reason for your vote so that we can improve the article.