If you are in the area of security governance or are simply part of your company’s supplier assessment process, you must probably think the same thing as me: it sucks!

Putting yourself in the position of suppliers, imagine just answering questions from several customers, who use different frameworks, resulting in different questions and number of questions, different answer models, different types of evidence, on different platforms or spreadsheets, and which often need to be answered by different areas to, after everyone answers, consolidates and sends them to the customer – this one that asks for the questionnaire to be answered in a time frame that even if you could stop time you couldn’t answer everything.

Now, putting yourself in the position of a customer, having to evaluate all the answers and evidence, document and create the report, when the supplier responds – otherwise, you would still have to send emails requesting the completion of the evaluation, not to mention that your company’s purchasing team is calling you every single hour because you would be blocking the process.

For these and many others, this process has become increasingly complex to execute – and does not fall into the litany of companies that sell platforms that “facilitate” the process, automatically responding to the evaluation – AI-powered, of course!

No wonder it is present in the main frameworks, such as ISO 27001 and CIS Controls, the security assessment of suppliers is important to make sure that your supplier has security controls that can mitigate and/or reduce the impact of incidents, in addition to ensuring the continuity of the operation, without impacting your company – besides, of course, to maintain compliance with contractual requirements and/or to maintain its certification. For this reason, it is important that both sides – customer and supplier – take actions that enable both the request and the response to the process. Below I leave some tips for each of these parts to make the process a little more friendly:

Customer

1. Use specific questionnaires for the type of service provided: a warehouse supplier for archiving your company’s physical documents should not answer the same form as a SaaS platform provider that will store employee data.
2. Inform the framework in use and the corresponding item in each question: if your company has a personalized questionnaire, facilitate the process of consulting information by the supplier about the questions you asked in the evaluation. E.g., if your question is about pentest execution, please inform us that it refers to CIS 18.x control and/or the ISO 27001 A8.8 requirement.
3. Create criteria that avoid filling out extensive questionnaires: if the supplier is not critical, accept certifications such as ISO 27001 and/or complement the certification with questions that you consider important to have evidence.
4. If you use a system to get the answers and evidence, consult the supplier if you need more access to the platform: questionnaires may have questions about the hiring process when it comes to building access control, that is, it involves several teams. That said, give options for other logins so that other teams in the company can also respond.

Supplier

1. Create a database to facilitate the answer to questionnaires: create a document with questions, answers and evidence mapped to controls of the main frameworks to save time in the process of responding to customers. Establish a process for reviewing responses and evidence to make sure they are up to date with your scenario.
2. Store the history of answered assess: customers usually do due diligence annually. Storing the history makes it easier for you to fill out the assessment when the customer resends the questionnaire.
3. Create a process that involves key areas: security questionnaires involve several other teams. Establish a process for everyone to participate in the response process and request the SLAs from each of them – it will be useful for you to know whether or not you can meet within the time frame that the customer requested, being able to ask the customer for a longer deadline.
4. Be clear about your company’s security: having a page dedicated to talking about the security controls of your application/service and/or that your company has certifications increases customer confidence.
5. Develop action plans for controls that you were unable to meet: if a question was directed to your company and you do not answer it, it may be a point of attention. In addition to helping to map security items that are necessary to strengthen your company, they may end up becoming mandatory in the closing of contracts and their lack results in revenue losses.

There are several ways for you to evaluate your supplier’s security and be evaluated without impacting the process.

However, it is necessary to develop it always thinking about both sides. Vendor evaluation is one of the processes that help protect our companies and their secure customer data, as well as being a stimulus to the vendor in implementing security.