Global law firm Bird & Bird has implemented Greenstone’s supply chain sustainability software, SupplierPortal, to engage with and assess the performance of its global supplier network.
This case study outlines the journey Bird & Bird have been on to find a robust and reliable solution that supports continual supplier engagement, ongoing assessment, and an efficient annual audit cycle.
Bird & Bird is a global law firm with over 30 offices worldwide in 18 countries.
Information security is a vital area of focus for organisations as the potential liabilities for non-compliance with regulation, malware attacks or data breaches are huge. This is especially the case in law firms where client confidentiality is a regulatory requirement and they often advise client data on their most sensitive matters.
Our client began the journey of implementing an information security management system a number of years before engaging with Greenstone and achieved ISO 27001 certification across all their countries of operation. However, there were a number of challenges with regard to maintaining the certification. Not least in the way that suppliers were assessed and managed.
There is a continual cycle of assessment and reassessment by audit in order to ensure continued compliance with the ISO standard. As a result, having a process in place where suppliers can be evaluated regularly against key metrics and where compliance can be understood at any given time, is vital.
However, the initial approach was to put suppliers through third party information security assessments. The result was that with the scale of the project and the constant need for up to date information this had become both an expensive and inflexible approach.
Due to Bird & Bird’s experience with information security assessments, they decided to move away from third-party supplier assessments and to create their own assessment questionnaires. These questionnaires comprised of questions that applied to all suppliers and twelve service-specific questionnaires.
Greenstone uploaded this bespoke content into its SupplierPortal software solution in English, Traditional Chinese, Simplified Chinese and German. Therefore enabling the distribution of relevant online assessment questionnaires to the appropriate supplier service categories (e.g. data centres, outsourced PII etc.) in local language e.g. data centres, outsourced PII etc.
“SupplierPortal has been instrumental in engaging with our global supply chain. We now have a robust supplier management software that underpins our ability to identify and address supplier risk both now and in the future.”
Tim Collinson, Head of Information Security, Bird & Bird
SupplierPortal then automatically assesses supplier responses against the firm’s bespoke information security scorecard, enabling them to monitor supplier performance across specific content areas, supplier categories, and office locations. The ability to interrogate suppliers by location has proved especially useful in ensuring supplier information is up to date for those locations that are undergoing an audit in relation to ISO 27001.
In addition to supplier scorecard performance, flags are being used to immediately identify any areas of concerns or non-compliance in the supplier responses. These flags can also be used to define high-risk suppliers where action plans need to be put in place to remediate risk.
The SupplierPortal audit function is used by the information security team to carry out detailed supplier assessments. This provides a documented record and report of the assessment for reference during the ISO 27001 certification process.
Bird & Bird now have a supplier management tool in place that supports their requirements for continual supplier engagement, ongoing assessment, and an efficient annual audit cycle. They have the flexibility to amend the assessment content as they see fit, and to add requirements if a supplier’s services evolve.
The exponential growth in resource requirement that resulted from the implementation of a global management system and ISO 27001 certification programme, has been brought under control with a centralised solution. Whilst they still require information security champions in each location, the management of a global supply chain is simplified through centralised compliance transparency and a solution that drives best practice and up to date information through a series of automated compliance notifications.