Assorted vendor questionnaires and/or other audits, surveys, inquiries, pre-contract assessments, compliance reviews, self-assessments, invitations to tender etc. received by the organization indicate various issues that are evidently of concern to third-parties such as customers, suppliers and stakeholders. Likewise those sent out by the organization to third-parties.
The forms and responses are part of the assurance processes associated with:
- Selecting between and contracting with third parties;
- Establishing, checking on and maintaining ongoing business relationships;
- Communicating relevant information, in the hope of concealing or identifying possible issues and concerns (depending on who is providing and consuming the information!);
- Due diligence or due care, satisfying compliance obligations and clarifying liabilities (in the same way that failing to declare relevant matters on an insurance application or claim form can invalidate the cover, the information exchanged or withheld in the course of contracting may become significant in the event of a later incident ... which );
- Increasing understanding and trust between the parties concerned.
Given its importance and value, the associated information (both the blank forms and the responses) perhaps ought to be included in information inventories, leading to the associated risks being managed in the same way as other information risks.
For example, an engineering company might issue a set of specifications and ask a bunch of possible titanium suppliers a set of questions exploring their capabilities to deliver titanium of the specified quality. The criteria that matter most to the customer can be directly inferred from the questions asked, including the way they are worded (e.g. massive clues such as some being identified as "mandatory" requirements, and more subtle cues such as the order of the questions). Other potentially relevant issues that aren't even mentioned on the form are probably of lesser or no concern. Therefore, the blank form gives insight into the customer's key specifications.
A given titanium supplier would handle several such exchanges in a year, gradually gaining a view on their customers' requirements. If, say, the metal's hardness was an issue that came up in every case, that would clearly be a more important product criterion than, say, malleability, ductility, density or purity that were only brought up occasionally. Likewise for vendor capability questions such as financial stability. Is that a universal concern? How does it stand in relation to, say, years of trading or size of company?
So, do you manage the information risks associated with vendor questionnaires and the like? Is this stuff on your risk-radar, or off the screen? I must admit if this hadn't come up on the ISO27k Forum so soon after we had completed the awareness module on assurance, it may not have occurred to me.
By the way, similar considerations apply to other kinds of forms, questionnaires, surveys, audit or self-assessment checklists, questionnaires etc. Both the blank and the completed forms reveal valuable/important information that may be relevant to information risk and security. The questions asked on, say, a passport application form plus the credentials requested tell us something about what the passport agency considers important in relation to establishing an applicant's identity, just as an applicant's responses tell the agency about the applicant: it's a two-way exchange of information.