Greenstone works with organisations to assess and reduce supply chain risk and enable responsible supply chains. An increasing area of focus in this work is information security.
The case study below explains how we have worked with our client - a global law firm - to implement a centralised information security management system across its global supply chain.
Greenstone’s client is a global law firm with over 30 offices worldwide in 18 countries.
Information security is a vital area of focus for organisations as the potential liabilities for non-compliance with regulation, malware attacks or data breaches are huge. This is especially the case in law firms where sensitive client data is potentially processed both internally as well as by third parties.
Our client began the journey of implementing an information security management system a number of years previously, and achieved ISO 27001 certification across their countries of operation. However, there were a number of challenges that they faced with regard to maintaining their certification. Not least in the way that they manage and assess suppliers.
They face a continual cycle of assessment and reassessment by auditors in order to ensure that they remain compliant with the ISO standard. As a result, they need a process in place whereby they can continually evaluate suppliers against standards relevant to the services they provide, and also to demonstrate compliance at any given time.
Their initial approach was to put suppliers through third party information security assessments. However, with the scale of the project and the constant need for up to date information this had become both an expensive and inflexible approach.
In addition, they had seen a significant increase in the obligations being placed on them by clients and prospects, due both to the sensitivity of data being shared and to clients being highly regulated.
Due to the firm’s experience with information security assessments, they decided to move away from third party supplier assessments and to create their own assessment questionnaires. These questionnaires comprised of general questions that applied to all suppliers and twelve service-specific questionnaires.
Greenstone uploaded this content into its SupplierPortal software solution, enabling the distribution of relevant online assessment questionnaires to the appropriate supplier service categories e.g. data centres, outsourced PII etc.
SupplierPortal then automatically assesses supplier responses against the firm’s bespoke information security scorecard, enabling them to monitor supplier performance across specific content areas, supplier categories, and office locations. The ability to interrogate suppliers by location, has proved especially useful in ensuring supplier information is up to date for those locations that are undergoing an audit in relation to ISO 27001.
In addition to supplier scorecard performance, flags are being used to identify any immediate concerns or non-compliances across the supplier responses. These flags can also be used to define high risk suppliers where action plans need to be put in place to remediate risk.
Lastly, to ensure that the supplier review process is clearly documented for audit purposes, the SupplierPortal audit function is used to assess suppliers using automated assessment criteria. Auditors can record any notes and files associated with the assessment and sign off the audit according to the supplier’s performance. These audits are stored against the supplier and can be searched and referenced at any time.
The firm now has a supplier management tool in place that supports their requirements for continual supplier engagement, ongoing assessment, and an annual audit cycle. They have the flexibility to amend the assessment content as they see fit, and to add requirements if a supplier’s services evolve.
The exponential growth in resource requirement that resulted from the implementation of a global management system and ISO 27001 certification programme, has been brought under control with a centralised solution. Whilst they still require information security managers in each location, the management of a global supply chain is simplified through centralised compliance transparency and a solution which drives best practice and up to date information through a series of automated compliance notifications.