I’ve got a security questionnaire from my client – what next?

We recently wrote about the increase in ‘supply chain cyber attacks’ and how the UK and EU governments are terrified about their impact on the economy.

This has been on the radar of larger businesses for some time, but now many firms in the SME sector are waking up to the potential threats from cyber breaches on companies in their supply chain.

One consequence of this is a huge increase in the number of ‘new supplier cyber security questionnaires’ that are being issued, and as a result, an additional burden on firms who are having to deal with them when trying to secure new business, or even to keep existing clients.

Many SME firms do not have the time or expertise to complete these forms, particularly in the accountancy and legal sectors where a recruitment crisis means resources are already stretched. So how should you go about dealing with such questionnaires with minimum overhead but yet keep your clients or prospective clients satisfied?

Here are some tips from the Pro Drive team:

Certify your firm to a recognised security standard

The is the single most important recommendation.  If you certify your business to a recognised national or international security standard, you can provide your certificate to your client when you first engage and hopefully prevent the need for them to send you a security questionnaire in the first place.

For firms operating mostly in the UK, the Cyber Essentials and IASME Cyber Assurance standards are usually adequate (you should go for the audited and not just the self-assessed versions though).  If you do a lot of business overseas or with multi-national firms, ISO 27001 may be necessary.

Put together a ‘security controls’ document

If you have particularly stringent clients or investors who may demand more than a certificate, you might consider asking your IT team to put together a document detailing the relevant security controls you have in place.  Most software companies do this and you will usually be able to view examples on their website.

Be careful not to put too much detail or specific information in the document though. Should it get into the wrong hands it could be used to compromise your security defences!

Keep a database of answers

Most supply chain cyber risk questionnaires contain very similar questions. If you have already answered two to three of them, you will likely already have all the answers to any future questionnaires.  If you do make any changes to your IT systems or their cyber security, you can ask your IT team to update your responses when the changes are made so you are ready for any future questionnaires.

Create your own questionnaire

You should also be auditing your own supply chain in the same way that your clients are auditing you.  As such you should have your own audit process and questionnaire. Once you have created your own audit process, you should find it relatively easy to prepare for other firms wanting to audit your business.

Pro Drive are experts in helping Accountancy, Financial Services and Legal firms with security questionnaires and we regularly help our clients get in place procedures and questionnaires to audit their supply chains.  If you would like to know more, get in touch.