Is there a suitable alternative to vendor risk assessments?
It is accepted among third-party risk professionals that survey-style assessments are not a perfect tool. However, there has not been a better alternative for creating a standard test which can be deployed on mass.
However, there have been several attempts over the years by companies to create centralised pre-answered vendor assessments, but all have failed due to the issue of control and trust. The model has been for companies to reach out to suppliers and collect the data in advance, then make that data available to consumers for a fee or as part of a broader offering.
The issue is that, as much as suppliers find due diligence assessments painful, they do not want to hand over sensitive data to an intermediary, nor do they want to unwittingly give unknown persons the opportunity to release that data.
The other model is to create a question set that both suppliers and consumers agree on, such that suppliers can prepare answers against that question set in advance. Then consumers can consume the elements that interest them. Some companies are making good money from this method. Still, the barrier to entry is high, as both suppliers and consumers must not only agree on the same standard but also typically pay a subscription to use the question set.
Interestingly, standards such as ISO 27001 often appear as specific questions around whether the supplier holds the certification. The same assessment will then go on to ask specific questions about policies and procedures, which must be in place if the company is certified.
This either indicates that care has not been taken around the generation of third-party assessments or that the certification of these standards is not trusted. This leads companies to use statements like “we’re compliant with the ISO 27001, but not certified”, as the certification provides no benefit.