It is important that you ask for, and validate, evidence to ensure that suppliers are compliant with your cyber security requirements.
Evidence-based assurance should be maintained throughout the contract duration. When you ask for evidence at the beginning of your relationship with your suppliers, they can expect you to request ongoing evidence throughout the contract.
Check with the relevant issuing body that any certifications provided are valid
It is important to review the relevant scope, check whether it covers the intended services and/or products, and review expiration dates of any and all certifications issued to a supplier, and confirm them with their issuing body. This ensures that the certification provided is valid and still applicable.
Conduct site visits
You can also conduct site visits, however this can be expensive and time-consuming, particularly if the supplier is based overseas. As such, you might only consider carrying these out for procurements with high-risk profiles as these can offer a comprehensive way of seeing first-hand how an organisation operates and implements cyber security controls.
Contact the suppliers’ other customers
You can get in touch with other customers of the supplier and, in particular, from other councils, which can serve as a good way to validate suppliers’ claims.
It is important to note that the idea is not to repeat what you have already done during the tendering phase. The emphasis here is on only asking for evidence if you need it, and this should only be for things that would not change the outcome of the selection process.