Responsible Organisation Programme

Information Security is everyone’s responsibility. Whether you’re a customer, supplier or employer, we all have a role to play in protecting valuable information and data.

A Responsible Organisation can come from many starting points. It may include customers, suppliers, partners, investors, insurers or other interested parties. With the need for greater control over information and data protection in the supply chain, organisations like you are taking this as an opportunity to stand out from the crowd. So what are the factors that set apart those Responsible Customers and Attractive Suppliers from those organisations that are behind the curve?

What are the characteristics of a Responsible Customer?

In terms of supply chain, there are a number of characteristics that would make a customer responsible when it comes to information security and privacy.

• They invest in supplier capability building and shared learning
• They make it easier for smaller suppliers to access help from their Data Protection Officer (DPO)
• Provide support for relevant policies and controls, as well as sharing their own certified practices in a collaborative way
• Organises around supply chain clusters and adopts practices that improve results and reduce Confidentiality, Integrity and Accessibility (CIA) risk for all, not just themselves
• Set expectations and are clear on goals internally and externally e.g. for EU GDPR compliance before deadline
• Effective onboarding, in life management and exit methods to ensure CIA
• They integrate smaller suppliers into parts of their own Information Security Management System (ISMS) rather than dictating costly or prohibitive practices

A Responsible Customer goes beyond ‘comply or die’ messaging and simple rights (or threats) to audit, and instead opts for the Educate and Encourage approach.

What are the characteristics of an Attractive Supplier?

What we are really asking here, is what would make suppliers more attractive to the customers they seek, in terms of information security?

• An attractive supplier will have a ISMS that is certified and recognised by achieving ISO 27001:2013
• They would be open to sharing their ISMS with customers using dynamic ‘always on’ demonstration
• They can demonstrate their positive reputation and results with other customers
• They will either have not suffered from adverse incident publicity (or have recovered well from it)
• Thier customer facing staff (sales, operations, services) take the subject information and data security seriously and they promote good behaviours in their work with customers and prospects
• They have a plan for EU GDPR before deadline
• Is able to demonstrate its own supply chain is engaged and secure too

What do they both have in common?

There is little to no point in simply reading off information security policies and thinking that this will be enough for your organisation. These principles need to be in the soul and DNA of you, your workforce and every entity that you do business with.

Responsible customers and attractive suppliers ensure that the strategy they take to information and data security is in line with the ethos of the organisation. This not only makes it easy to live day to day, but it also increases your staff and stakeholder buy in.

• Engaging & meaningful staff communications/awareness
• Able to describe and demonstrate their ISMS is working
• Privacy and security by design including PIA
• Rewards & consequences