Recently with many organisations working from home, we have seen increased scrutiny happening for organisations managing information on behalf of other organisations.
One of our clients is an international market research company. They work with large corporates throughout the world providing insight on new ideas and services. For the first time ever, they have received a security questionnaire from their biggest client. What we mean when we say security questionnaire is a form asking various questions about how they manage personal and business information, the checks they undertake on staff, their policies and procedures, training programmes and supplier checks. The security questionnaire is designed to ensure that the company that is being vetted has the appropriate information security and data protection protocols and policies in place. Our client at the time did not meet the requirements for the information security controls and was not considered for some work as a result. Since then we have worked on their policies and procedures for them and improved their security controls to ensure that they meet the criteria required by their corporate client.
Another one of our clients is a large not for profit who use a number of other companies to process information on their behalf. They have asked us to create a security questionnaire that they can send to the companies supporting them to ensure that the information they are sharing is being held securely.
Depending on your sector and service, you are likely either to need to verify the security of the companies working on your data or be required to confirm that you are holding information securely on behalf of another organisation.
Security questionnaires come in a variety of formats. We have helped organisations complete them in the past as frequently the wording used can be complicated and require clarity. When they are received from a large corporate they are usually designed to be sent to all suppliers. This can make it complicated to complete as the questions or suggested answers don’t always fit your organisation.
The key thing when completing the questionnaire is make sure you answer the questions as they relate to your business. Don’t try to write what you think they want to know. Often you can provide additional information to explain circumstances. You can also provide policies and procedures demonstrating your understanding and compliance.
If you get stuck or are unsure what you need to be doing, please contact us. We will be happy to help.