Supplier Security Policy

1) is it necessary to perform an audit to cloud-based providers (e.g. Egnyte (files), Xero (finance data), Confluence (knowledge-based)) that are already in compliance/certified with many industry regulatory standards?. They are high-risk because of the type of information we're keeping in them, but again, these are already big established companies.

The need to perform audits on cloud-based providers that are already in compliance/certified will depend on the results of your risk assessment and applicable legal requirements. For example, you may have a contract with a client that specifies that your company needs to perform the audit, regardless of the provider certifications.

What generally happens is that performing an audit of suppliers is not mandatory - very often companies choose to use vendors for high-risk applications without doing the audit because they trust their reputation and their certifications (e.g., Google Gmail, Amazon AWS, etc.). In other cases, it is sufficient to evaluate the audit report of the providers’ certification bodies.

For further information, see:

• How to perform an ISO 27001 second-party audit of an outsourced supplier https://advisera.com/27001academy/blog/2017/10/10/how-to-perform-an-iso-27001-second-party-audit-of-an-outsourced-supplier/

2) the same question as number 1 but for service providers (power, internet, telecommunications)

The same concept from answer 1 applies to service providers.

3) same question as number 1 but for professional outsourcing services such as legal, accounting, etc

The same concept from answer 1 applies to professional outsourcing services.