I am currently engaged in a distant leaning project researching third party or supply chain risk assessment and I would greatly value the input of (ISC)2 members. In my experience, it’s an area where I think a lot of organisations struggle and it is one which is becoming increasingly important. Security of the supply chain features in regulations such as EU GDPR and the EU NIS Directive and also sector specific regulations such as New York's 23 NYCRR Part 500 and the UK's Civil Aviation Authority's CAF 1574. Generally regulators are not specific on the methods that should be used. There are multiple risk assessment frameworks that could be used, a selection of online survey tools and of course, the offline questionnaire.
The survey aims to find answers to questions such as: How do differing organisations approach risk assessment? Do organisations tailor assessment requirements to the criticality of the supplier? How frequently do assessments take place? Which is the most effective approach?
The survey will take between 2m to 20m depending on the responses. Naturally, all responses will be treated in strict confidence. The respondents and their organisations will remain anonymous and will not be named in the report. I have selected a GDPR compliant survey platform which is hosted in the EU and all data will be destroyed after the report has been written and submitted.
I would be really grateful for your help with the survey as I would like to reflect different geographies and organisations sizes in the results. I can offer a copy of the research report (dissertation) and entry into a prize draw for Amazon vouchers as a ‘thank you’ for your input.
Thanks for everybody who has responded and a reminder that there is still time to contribute to the survey.
The survey is here: https://3rdpartyassessment.questionpro.eu
As promised above, I will provide a copy of the report and there is the associated prize draw as a 'thank you' for your time which should be limited to between 2 - 10 minutes. If you are involved in third-party security risk assessments, I'd welcome your input please.