There are parallels between quality assurance and information security. For example, we all partly depend on various suppliers for their [quality|security], hence we need assurance as to the suppliers’ [quality|security] arrangements.
In ISO-land, the preferred approach to this is systematic i.e. we:
- Identify and consider the [quality|information|business] requirements and risks associated with the relationships, supplies, services etc., separately and perhaps in conjunction with the suppliers;
- Evaluate the risks (obtaining further information if needed), deciding what to do about them, prioritizing and resourcing things accordingly;
- Treat them appropriately according to the risks themselves, the level of assurance required and the business situation;
- Manage, monitor and maintain the arrangements, occasionally reviewing the risks and controls etc.
In more detail, there are several forms of treatment. We can:
- Review, inspect or audit the suppliers in sufficient depth, focusing on the parts of their businesses that materially affect the [quality|security] of the services provided (note: there are many subsidiary options and factors to consider here, such as the frequency and nature of the reviews and the competence and diligence of the reviewers);
- Simply ignore the issue, blindly trusting the suppliers to do the right things and do things right (crudely accepting the risks is an abdication of responsibility without additional controls but is disappointingly commonplace in practice, at least outside of ISO-land);
- Rely on the suppliers’ assertions re their [quality|security] arrangements, ideally with the benefit of accredited certification;
- Obtain and evaluate additional internal information from the suppliers re their [quality|security] arrangements – their [quality|security] metrics for instance, and various reports, policies, procedures etc.;
- Collaborate closely with the suppliers, establishing mutual trust and respect over a considerable period;
- Throw the whole issue at the lawyers to thrash out suitable terms and conditions, requirement specifications, liability clauses, guarantees etc. (again, that approach in isolation does not inspire me personally with confidence, unless supported with suitable additional assurance and compliance controls);
- Manage the [quality|security] aspects dynamically according to the situations, incidents and near-misses that occur and any opportunities that arise (the contingency approach - whatever it is, we'll cope - also expressed as "She'll be right bro" in this part of the world);
- ‘Instrument’ the business processes and activities for [quality|security], ensuring that the [quality|security] situation is measured and communicated promptly, projected accurately etc. (this implies dealing with the measurement costs plus the sensitivity and commercial value of the information, naturally, and has further implications around its integrity and availability);
- Focus on business continuity, resilience and recovery e.g. maintaining a network of alternative suppliers, using generic/commodity services as much as possible;
- Keep all business-critical activities entirely in-house, consciously avoiding the risks of reliance on suppliers/outsiders (easier said than done!);
- Others? What have I missed? Please comment below.