Let’s chat
0330 043 0826 | [email protected]
InfoSec Governance Logo

What is third party governance

What is third party governance

One aspect that I see missing from businesses during audits is their governance and risk evaluations over third parties, whether this is partners, suppliers or some other form. But what is third party governance?

Third-party governance is the process where an entity such as a business reviews what laws, regulations, industry standards or contractual obligations are mandated between both parties and checks to make sure that they are being honoured. This is usually requested when meeting compliance with ISO 27001 or IASME Cyber Assurance or other information security related standards.

The size of the business will dictate the complexity of the actions carried out, but the processes are all similar. Businesses of all shapes and sizes will outsource or manage information differently, if third-party businesses have access to your information, this could be a risk to you and your customers, therefore you need to ensure that your third party suppliers are doing their upmost to ensure the safety of information.

But why do businesses need to carry out a review of third party governance and compliance? Simply put, when you allow companies to have access to your information, you need to be confident that they are doing the best practices and have put measures in place to reduce any risks and vulnerabilities.

It is widely known that data breaches can occur from suppliers, via supply chain attacks, so performing due diligence against your suppliers and partners can give you an overview of where your information is and what controls are in place to safeguard it.

The implementation of third-party governance focuses upon ensuring that companies have the necessary compliance in place, that they meet your security controls as well as any regulatory and contractual obligations. By performing an audit against your third-party suppliers, you can have piece of mind in knowing where your data is, who has access to it and what controls they have in place.

The governance reviews can either be conducted remotely via a questionnaire that your supplier completes, or if acceptable, you can perform an onsite audit.

The review should look at all areas of the business and what processes they have in place to deal with the security and processing of information. Making sure that any certifications are up to date, that you have the up to date contact information and that you know what information they have and more importantly will they remove or return the information at the end of the contract? You should be confident that the third-party business has buy in from senior management and that the necessary operational controls are in place.

It should be noted, however, that you are likely not going to be able to get some core third-party suppliers to complete your governance reviews, for example if you are a micro or small business, you will likely fail in getting Microsoft or Google to complete your review.  In these instances you can complete a review yourself from information which may be available on their website.

You should perform these reviews at least annually or upon the due diligence process of bringing on a new supplier.