This post lists methods to assess the Information Security of an organization that acts as a third party for another one (e.g., a provider).
This third parties are often referred as 3PL, that is an acronym for third-party logistics.
Methods to assess the Information Security of a Third Party
List of methods to assess the Information Security of a Third Party
- Qualification / Third-party audit
- Self audit
A questionnaire is a set of questions regarding information security that must be fulfilled by the provider.
One of the drawbacks of a questionnaires is that.
When the possible answer in a questionnaire is yes/no, the provider may be biased to answer “yes” whenever is possible, even when it is only partially true.
It also happens that we have to rely on the honesty of the person fulfilling the questionnaire or their knowledge on the topic or situation of the organization.
A certification, in the context of the information security of a third party, is is the provision by an independent body of written assurance that an organization meets specific requirements.
A common habit is to ask for ISO 27001 certification, thinking that it guarantees that the organization reaches a minimum standard on IS. Nevertheless, it is important that everybody takes into account that ISO/IEC 27001 certifications proves that the organization has implemented processes to manage a Information Security Management System (ISMS), but it does not guarantees that any security level has been reached.
Rating / Third-party audit
A rating or third-party audit is an assessment done by independent body that assesses the organization and provides a score on information security
You can read this post about information security rating agencies for organizations.
An organization can assess their third-party providers by asking them specific documentation, as evidence that they meet minimum standard.
A self audit is an assessment done by independent body that assesses the organization and provides a score on information security