Adding a Supplier
Clicking the Add Supplier button brings up the Add Supplier form. The form contains three sections - General Information, Assurance, and Disaster Recovery. Only the General Information tab is required to add a new asset, but it is recommended that all areas are completed.
Supplier Name
The name of the supplier.
Supplier Description
A brief summary of what the supplier does for your organisation.
Supplier Owner
The person responsible for the supplier.
Supplier Contact
The main point of contact for the supplier. This could be, for example, a support page on a website, or a name of a person responsible for liaising between your organisations.
Supplier Email
The email address associated with the supplier.
Supplier Address
The address of the supplier.
Supplier Contact Number
The contact telephone number associated with the supplier.
Last Review Date
When the information for this supplier was last reviewed.
Next Review Date
The date when this supplier will be next reviewed.
Clicking on the Assurance section will bring up the next section which involves ensuring the supplier is up to security standards.
Does the supplier hold ISO27001, or other externally validated certificate that is in line with or exceeds ISO27001?
Whether the supplier is certified against ISO27001. By Harpe's standards, holding an ISO27001 accreditation is an automatic pass in terms of security.
Does the supplier encrypt personal data at rest and in transit?
Encryption of data in transit and at rest refers to the process of converting sensitive data into a coded language that cannot be read or understood by unauthorised users while it is being transmitted from one location to another or securely stored.
Does the supplier adhere to the principle of least privileged and have access control processes in place?
The principle of least privilege is the practice of ensuring employees have the minimum amount of permissions required to do their job to combat permissions creep which could lead to a security risk if the wrong person has access to information that is higher than their rank.
Does the supplier have processes in place to address risk management?
Whether the supplier has risk management processes in place.
Does the supplier train and engage their employees to become cyber aware?
Whether the supplier engages in training employees to ensure they have enough knowledge to be resistant against common cybersecurity threats. For example, phishing emails.
Does the supplier have a process to manage assets throughout their lifecycle, including security and destruction?
Whether the supplier has an adequate process for the management of assets.
Does the supplier have a process to manage disaster recovery and the backups of critical systems?
Whether the supplier has a process for disaster recovery, including taking backups, to ensure system stability in the event of an incident.
Does the supplier have a processes in place to identify and remediate vulnerabilities such as penetration testing or vulnerability scanning?
Whether the supplier performs activities such as penetration testing or vulnerability scanning to identify vulnerabilities in their systems.
Does the supplier have logging and monitoring in place to identify incidents with their assets and data?
Whether the supplier has logging and monitoring enabled for their systems and tools to ensure any changes or breaches are recorded.
Does the supplier have an incident management process in place?
Whether the supplier has processes implemented to manage any occurred incidents.
Does the supplier have process in place to protect and manage their supply chain?
Whether the supplier has processes in place to ensure their supply chain is secure.
Are there contracts that cover security requirements, data protection requirements and confidentiality?
Whether there are legally binding contracts and policies in place with the supplier to ensure cybersecurity requirements are safeguarded.
Does the Supplier have a quality management system in place?
Whether the supplier has a system in place to ensure continued quality of its processes and deliverables.
Assessment result
Whether the supplier passes or fails based on the answers to these questions.
Conducted by
The person responsible for conducting this assurance assessment.
Disaster Recovery Plan
A step-by-step plan to enable business operations to be recovered or allowed to continue in the event of the supplier becoming unavailable or suffering an incident.
Security Considerations during DR
Any security considerations that must be paid attention to in the event of the supplier becoming unavailable or suffering an incident.
RPO (Recovery Point Objective)
The maximum tolerable loss of data in terms of time. For example, a loss in 2 hours work worth of data.
RTO (Recovery Time Objective)
The maximum tolerable time in which an asset can be unavailable. For example, if the RTO is 2 hours then the asset should be available again after failure in less than 2 hours.
BIA Owner
The person who is responsible for this disaster recovery assessment.
Last updated