Third Party Assessment

Most businesses prefer to outsource some of the services because of cost, or resources reasons or combination of both. Some of the outsourced services, requires special skills, but nonetheless the data outsourced still remains in the eye of the outsourcing company, simply the service provider retain the data and are trusted to be the good custodian and keep the data safe (so it is thought to be the case).

Most of the companies have ‘right to audit’ clause embedded in the agreements and this take a form of third part assessment, you can call spot checks or due diligence or whatever the name fit. Over the years, I have been involved with these sort of assessments, from onsite assessments to reviewing questionnaires or some just send their ISO 27001 certificates and say we are secure, dont worry about your data.

Whilst the effectiveness of the assessment is based on organisation’s risk appetite, personally I have problems with the questionnaire based, which most are self-assessment questionnaire, when the service provider provide response without attaching evidence. I believe onsite assessment provide more value and it is more evidence based assessment.Whilst the issue of costs might be a limiting factor to conduct these sort of assessments, I would take the approach of questionnaire with additional remote assessment via video conference facilities and additional evidence uploading to backup the response.

On the next post I will cover the below aspects of the third party assessment. (1)What needs to be assessed, (2) Framework (3) Frequency of the assessment

Keep safe.

Giving back to the security community

Nobody makes it alone to the top in the corporate world but I know there exceptions for those one-man army. Regardless how you made to the top or how you joined security professional I think you feel some sort of responsibility of giving back to the community and this is my motivation to give it back tot he community by means of mentoring young professional or those in their journey.

I welcome anyone that needs my advice, please reach me at kinyoka at