Clicking on the Assurance section will bring up the next section which involves ensuring the supplier is up to security standards.
Does the supplier hold ISO27001, or other externally validated certificate that is in line with or exceeds ISO27001?
Whether the supplier is certified against ISO27001. By Harpe's standards, holding an ISO27001 accreditation is an automatic pass in terms of security.
Does the supplier encrypt personal data at rest and in transit?
Encryption of data in transit and at rest refers to the process of converting sensitive data into a coded language that cannot be read or understood by unauthorised users while it is being transmitted from one location to another or securely stored.
Does the supplier adhere to the principle of least privileged and have access control processes in place?
The principle of least privilege is the practice of ensuring employees have the minimum amount of permissions required to do their job to combat permissions creep which could lead to a security risk if the wrong person has access to information that is higher than their rank.
Does the supplier have processes in place to address risk management?
Whether the supplier has risk management processes in place.
Does the supplier train and engage their employees to become cyber aware?
Whether the supplier engages in training employees to ensure they have enough knowledge to be resistant against common cybersecurity threats. For example, phishing emails.
Does the supplier have a process to manage assets throughout their lifecycle, including security and destruction?
Whether the supplier has an adequate process for the management of assets.
Does the supplier have a process to manage disaster recovery and the backups of critical systems?
Whether the supplier has a process for disaster recovery, including taking backups, to ensure system stability in the event of an incident.
Does the supplier have a processes in place to identify and remediate vulnerabilities such as penetration testing or vulnerability scanning?
Whether the supplier performs activities such as penetration testing or vulnerability scanning to identify vulnerabilities in their systems.
Does the supplier have logging and monitoring in place to identify incidents with their assets and data?
Whether the supplier has logging and monitoring enabled for their systems and tools to ensure any changes or breaches are recorded.
Does the supplier have an incident management process in place?
Whether the supplier has processes implemented to manage any occurred incidents.
Does the supplier have process in place to protect and manage their supply chain?
Whether the supplier has processes in place to ensure their supply chain is secure.
Are there contracts that cover security requirements, data protection requirements and confidentiality?
Whether there are legally binding contracts and policies in place with the supplier to ensure cybersecurity requirements are safeguarded.
Does the Supplier have a quality management system in place?
Whether the supplier has a system in place to ensure continued quality of its processes and deliverables.
Assessment result
Whether the supplier passes or fails based on the answers to these questions.
Conducted by
The person responsible for conducting this assurance assessment.
