SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:
SPRING30

Expert Advice Community

Home / ISO 27001 & 22301 / Supplier questionnaire

Guest

Supplier questionnaire

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Feb 07, 2023 Last commented:   Feb 07, 2023

Supplier questionnaire

ISO 27001 & 22301

Hi, I need help to produce the following for suppliers that we work with, I need to confirm the correct questions to send out, risk scoring and a policy. Below are questions for supplier regarding their security posture.

  • Confirm which of the following do you have in place: Firewall? IDS or IPS? Secure configuration? Anti-virus/Malware Protection? EDR/MDR/XDR? Patch Managements? Access Control? Multi-Factor Authentication? Email spam filtering? Network behaviour Monitoring?
  • Do you know what devices connect to your network and who has access?
  • Do you follow any security frameworks?
  • Do you have cyber essentials?
  • Do you do conduct vulnerability and penetration testing?
  • Do you have backups? • Do you have security and acceptable use policy?
  • Do you have information and security policies in place?
  • Do you have access control policies in place? • Do you conduct cyber security awareness training?
  • Do you have a disaster recovery plan? • Do you have an incident response plan?
  • Do you have anything in place with your supply chain to combat a cyber-attack?

Tags: Product: Conformio
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Rhand Leal Feb 07, 2023

Please note that to identify the proper questions to send to suppliers you need to consult the results of your risk assessment and applicable legal requirements. Based on the relevant risks and laws, regulations, and contracts you need to comply with, you can define which are the proper questions to send.  

For example, generally speaking, you could send all questions you listed, but in case you do not have relevant risks or legal requirements demanding a disaster recovery plan, then it is not relevant for you to ask the supplier about a disaster recovery plan.

For further information, see:

Step one will provide information regarding risk assessment, while step two will provide information regarding legal requirements.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 07, 2023

Feb 07, 2023

Suggested Topics
Guest user Created:   Dec 16, 2017 ISO 27001 & 22301
Replies: 1
0 0

Supplier Assessment questionnaire
Guest user Created:   Aug 13, 2022 ISO 27001 & 22301
Replies: 2
0 0

Auditing suppliers - ISO 27001/Data Protection