What is supplier due diligence?
What is supplier due diligence?
Supplier due diligence is the process of gathering information to understand the credibility and suitability of a prospective partner or vendor. It aims to assess their security posture to identify any potential risks.
Performing checks is a standard approach to nearly all facets in life, e.g. family, work, education et al, so supplier due diligence should not be foreign concept. Conducting supplier due diligence can help guide decision-making when choosing the right vendor, detect risks with potential suppliers and protect customer data in the process. It's also considered good business practice and can help mitigate future financial and reputational damage caused by a data breach.
What are the risks of not conducting supplier due diligence?
We live in a world where your business security could be theoretically perfect, and yet your data is still exposed. How? Through a supplier. Interconnected services and data sharing means that their risks are your risks, and vice versa.
The risks of not conducting supplier due diligence are significant. If a third-party vendor is breached, your organisation could be exposed to a number of risks, including:
Levelling up the supply chain together
Every business must surely have noticed the increasing importance being placed on supply chain security. The extra time spent filling in supplier due diligence questionnaires can’t have gone unnoticed, and it’s a key driver behind the increased ISO 27001 adoption. Though it might mean you spend more time on these activities, the reasons behind them are good: it means everyone’s assessing the risks and, I’d hope, taking steps to address them. In short, the whole supply chain is levelling up together.
How to do supplier due diligence?
Having a clear understanding of the vendor's business operations and how they interact with your organisation will help you to identify the specific risks that they pose. For example, if a vendor is providing cloud computing services, you will need to understand how they store and protect your data – asking for evidence of regular penetration testing and log monitoring or SIEM would be appropriate here. If they’ll process personal data, then asking about their GDPR policies and procedures, DPIAs and DPAs is relevant. And if these acronyms are a mystery to you, no need to worry – just reach out to a data protection officer for a helping hand.
The supplier due diligence process can be broken down into the following steps:
- 1Identify the vendors This includes identifying all of the third-party vendors that have access to your data or systems.
- 2Gather information This information should include the supplier’s security posture, their compliance with industry regulations, and their history of data breaches.
- 3Assess the risks This involves evaluating the information you have gathered to assess the level of risk posed by each vendor.
- 4Make a decision Based on your assessment of the risks, you will need to decide whether or not to do business with each vendor.
This information can be gathered through a variety of sources, including:
- The vendor's website
- Publicly available records
- Interviews with the vendor's management team
- Security assessments
Supplier due diligence checklist
Frameworks like ISO 27001 are a useful way to get you thinking in terms of risk, both within your organisation and from your suppliers. If you’re struggling, Bulletproof has a teams of friendly, experienced information security consultants who can help. As a headline guide, here is an outline supplier due diligence checklist for cyber security and compliance:
- What is the vendor's security policy?
- How does the vendor manage access to their systems?
- What security controls are in place to protect data?
- How does the vendor handle security incidents?
- Does the vendor have any known security vulnerabilities?
- What steps do they take to gain oversight of their security?
- Has the vendor been breached in the past?
- Do they train their staff?
- Do they penetration test at least annually and provide evidence?
- Do they map their security spending to their risks (such as via ISO 27001)
Compliance & Data Protection
- Does the vendor comply with industry regulations?
- Do they comply with optional as well as mandatory regulations?
- What steps do they take to secure personal data?
- How do they demonstrate compliance with (e.g.) GDPR?
- Are all certifications relevant and renewed?
Reputation & Culture
- What is the vendor's reputation in the industry?
- Have there been any notable or voluminous complaints about the vendor's services?
- Does the vendor share your company's values?
- Do you feel comfortable working with the vendor's team?
Summing up supplier due diligence
Supplier due diligence is an essential process when seeking new vendors as it allows organisations to make an informed decision on whether to proceed with a business partnership and should form part of business compliance strategies Only by identifying and mitigating the risks posed by third-party vendors can you prevent a data breach.
Trusted cyber security & compliance services from a certified provider
Get a quote today
If you are interested in our services, get a free, no obligation quote today by filling out the form below.