A CIPS workshop on supply chain security, with the Security Awareness Special Interest Group and the National Cyber Security Centre, produced these tips on how to create a supplier assurance questionnaire
Conduct due diligence
Know your organisation’s strategy and risk appetite, explain the rules, policies and standards to suppliers, and identify your right to audit.
Categorise your suppliers Identify high, medium and low-risk suppliers, then prioritise and utilise your resources wisely to mitigate the areas of risk, starting with high-risk suppliers.
Tier your questionnaires
Avoid a one-size-fits-all approach, and consider a two- to three-questionnaire structure. Be prepared to adjust or remove questions when inappropriate or unnecessary for medium or small businesses.
Be approachable and prepared to collaborate – it’s in everyone’s interest to help educate your suppliers. Avoid a transactional approach and work in partnership with your suppliers. Pick up the phone or meet face-to-face to sense check information.
Help build your suppliers’ awareness of ISO27001 compliance and highlight the benefits of developing their processes.
To listen to a CIPS Knowledge webinar on how the Salvation Army set up its SAQ go to: bit.ly/SAQWebinar