There are different methods that your council can use to assess a supplier's ability to meet your cyber security requirements. These methods can be adapted based on your council’s risk profile or the criticality of the procurement, as well as the amount of time and resources you have for the assessment.
It is important to consider the burden on both your council’s internal teams and the supplier teams when choosing evaluation methods. Possible methods include:
Question-based surveys
Question-based surveys are an easy and repeatable method of assessment. A survey alone will most likely require further investigation by the organisation as questions may get misinterpreted or insufficient answers may be provided. If possible, you should try to avoid asking suppliers to fill out the same questionnaires on multiple occasions. To help ensure that suppliers only need to tell you information once it is recommended that you maintain a record of past questionnaires to help streamline the process.
Key components of a supplier assurance questionnaire
Background questions: aimed at establishing a general view of the supplier from a security perspective. For example:
Control questions: aimed at establishing a consistent view of suppliers’ cyber security behaviours and practices. These typically form the bulk of your questionnaire. Please note that not all controls will be relevant for all procurements, please only select those relevant for each procurement and for your council. For example, questions could be asked about:
Access control
What information and assets could suppliers have access to and what level of access is provided, in particular, privileged account access?
What policy exists for control of remote access to networks and systems?
Change management
Are methods in place to control how changes are authorised, tested and securely deployed by authorised personnel?
Governance and policy
Does the supplier have a strong security policy for management of IT equipment, covering employee responsibilities, access to information assets and user account / password management of removable media?
Incident management
Does a defined and implemented policy including detection, resolution and recovery exist?
Monitoring
Is monitoring in place to assess access to privileged accounts and services, networks, authorised software, data loss prevention and regular log?
Personnel security
Does the supplier provide training on information security and staff vetting? Do roles exist for dedicated information security staff to set and enforce standards?
Supply chain management
How well are the information security risks within the wider supply chain managed? Does the supplier risk-manage its own supply chain?
Vulnerability management and patching
Are processes in place to be informed of vulnerabilities present within equipment and software along with a timely and secure patching policy, used to remedy?
Certifications questions: aimed at establishing a view of the current industry recognised standards and frameworks adopted by suppliers.
If you are interested in reviewing more sample questions or examples of supplier assurance questionnaires they are available for reference along with other example materials in the appendix.
Interviews
Interviews offer the opportunity to ask suppliers specific questions and to give them a chance to present alternative approaches and solutions. Information gained through focused interviews may be of higher value than that obtained via a questionnaire, however they can be time consuming, create capacity issues and may require a specialist resource to carry out. Consider limiting conducting interviews to high risk procurements or suppliers.
Site visits
Site visits refer to physically travelling to the premises. On-site visits can be expensive and time-consuming, particularly if the supplier is based overseas. Additionally, you should consider how the service is delivered before determining if a site visit is appropriate, take for example services that are delivered on a cloud platform.
External assessments/certifications
External assessments/certifications refer to assessments certified by an outsourced authorised body. The benefits of this approach are that it can be more scalable and easier to compare suppliers. Examples of external assessment methods include Cyber Essentials Plus, SOC 2 reports and ISO 27001.
Automated assessments
Automated assessments refer to commercial tools on the market that can either actively or passively assess an organisation, which could be used in conjunction with the above assessment techniques to regularly assess a supplier. These tools, once set up, can be continuous and constant. The results, however, will likely need interpreting by an IT or cyber security professional.