Third Party Assessment

Most businesses prefer to outsource some of the services because of cost, or resources reasons or combination of both. Some of the outsourced services, requires special skills, but nonetheless the data outsourced still remains in the eye of the outsourcing company, simply the service provider retain the data and are trusted to be the good custodian and keep the data safe (so it is thought to be the case).

Most of the companies have ‘right to audit’ clause embedded in the agreements and this take a form of third part assessment, you can call spot checks or due diligence or whatever the name fit. Over the years, I have been involved with these sort of assessments, from onsite assessments to reviewing questionnaires or some just send their ISO 27001 certificates and say we are secure, dont worry about your data.

Whilst the effectiveness of the assessment is based on organisation’s risk appetite, personally I have problems with the questionnaire based, which most are self-assessment questionnaire, when the service provider provide response without attaching evidence. I believe onsite assessment provide more value and it is more evidence based assessment.Whilst the issue of costs might be a limiting factor to conduct these sort of assessments, I would take the approach of questionnaire with additional remote assessment via video conference facilities and additional evidence uploading to backup the response.

On the next post I will cover the below aspects of the third party assessment. (1)What needs to be assessed, (2) Framework (3) Frequency of the assessment

Keep safe.

Author: kinyoka

A certified Information Security professional, with demonstrated experience spanned more than 10 years in financial, banking, consulting, and payment card industries in managing Information Security System Management ISMS. A post graduate degree holder in Information Security Management (M.Sc); Certified Information Security Manager (CISM), Payment Card Industry Qualified Security Assessor (PCI QSA), SABSA Chartered Security Architect (SCF), ISO 27001 Lead Auditor, CREST Registered Technical Security Architect (TSA), CREST Registered Penetration Tester (CRT), and a member of ISACA. Demonstrated to be reliable, trustworthy, and meticulous person; working in a controls-focused environment, multinational, and multicultural organisation over the years and gained a good understanding of what is required of the Information Security professional. . Specialties: ISMS based on ISO/IEC 27001/2 Payment Card Industry (PCI) DSS - QSA led services - PCI Scoping, Gap Analysis and Formal Assessment (RoC) IT Governance, Risk and Compliance (GRC) Management Cyber Security Penetration Testing Enterprise Security Architecture Technical Security Architecture

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: