Most businesses prefer to outsource some of the services because of cost, or resources reasons or combination of both. Some of the outsourced services, requires special skills, but nonetheless the data outsourced still remains in the eye of the outsourcing company, simply the service provider retain the data and are trusted to be the good custodian and keep the data safe (so it is thought to be the case).
Most of the companies have ‘right to audit’ clause embedded in the agreements and this take a form of third part assessment, you can call spot checks or due diligence or whatever the name fit. Over the years, I have been involved with these sort of assessments, from onsite assessments to reviewing questionnaires or some just send their ISO 27001 certificates and say we are secure, dont worry about your data.
Whilst the effectiveness of the assessment is based on organisation’s risk appetite, personally I have problems with the questionnaire based, which most are self-assessment questionnaire, when the service provider provide response without attaching evidence. I believe onsite assessment provide more value and it is more evidence based assessment.Whilst the issue of costs might be a limiting factor to conduct these sort of assessments, I would take the approach of questionnaire with additional remote assessment via video conference facilities and additional evidence uploading to backup the response.
On the next post I will cover the below aspects of the third party assessment. (1)What needs to be assessed, (2) Framework (3) Frequency of the assessment