To focus on their core business, many organizations rely on outsourced suppliers to perform support processes. While this approach may bring benefits like costs savings, and access to expert knowledge and state-of-the-art technology, it can also involve risks related to loss of control over how these processes are performed and managed.<\/p>\n
To minimize such risks, organizations should adopt practices to ensure that the processes and deliverables of outsourced suppliers are exactly what they are paying for.<\/p>\n
This article will present some solutions that organizations should consider when performing audits of outsourced suppliers that could impact their information security. These suggestions are based on controls recommended by\u00a0ISO 27001<\/a>, the leading international standard for information security management.<\/p>\n Yes. Basically, there are three types of audits that can be performed, which depend on the relationship between the auditor and the auditee: first-, second-, and third-party audits. For the purpose of this article, only second-party audits will be covered. For information about first- and third-party audits, please see First-, Second- & Third-Party Audits, what are the differences?<\/a><\/p>\n Second-party audits involve two independent organizations that have a relationship established between them. The most common scenario is a customer auditing a supplier, but you also can have a regulatory body auditing an organization that operates in an industry it oversees.<\/p>\n As a customer, you can either use your own personnel to perform a second-party audit on your supplier, or you can hire an external auditor\/organization to perform the audit on your behalf.Can organizations audit their suppliers?<\/h2>\n
\n