Completing a data security questionnaire

Add to: Digg Add to: Add to: Facebook Add to: Furl Add to: Google Add to: Live Spaces Add to: MySpace Add to: StumbleUpon Add to: Twitter
Monday December 16, 2013 at 10:00am
With a global focus on data security it’s hardly surprising to see more and more businesses insisting that suppliers comply with rigorous information management controls. For many small businesses the request for completion of a data security questionnaire may seem an onerous task, but when it could mean the difference between winning (or keeping) a lucrative contract it’s one that has to be undertaken, and undertaken well.

Having been practicing in compliance management systems for twenty years and ten years in ISO27001, I am always amazed at the ‘un-coordinated’ approach that SME’s take to the effective management of data security questionnaires from their key customers.

Data security questionnaires really seem to have picked up rapidly after the Hannigan report into mass data loss in the public sector a number of years ago. Prior to this SME’s did not really appear to be too troubled with regards intrusive questioning of their data handling techniques. The increased fines the ICO can now impose has also ‘sharpened’ the focus. Prior to this, fines for data loss were somewhat perfunctory at best.

I have seen owner-managers literally wrecking their most important relationship with a premier customer through pure ignorance and application of factually inappropriate submissions.

Having reviewed dozens of such completed questionnaires over the years I offer these words of advice to owner-managers when faced with these byzantine questionnaires.

Be familiar with the information security standards in ISO 27001

As, in most cases, data security questionnaires are predicated upon ISO27001: 2013 the International Standard for information security be familiar with these standards. In the US SAS 70 is often referred to. Questionnaires largely take themes from the Standard and group into topics of ‘check-points’ that the supplier must fill in.

So, if your business does not have ISO27001 and holds data, it might be a good investment to purchase a copy of this International Standard.

Once purchased, I would advocate creating an Excel spreadsheet and working through all the topics and juxtapose with your current arrangements in-house.

Often there will be ‘yawning gaps’. But, you must start somewhere.

Don’t second guess what is required
Secondly I would strongly recommend understanding some of the key terms and definitions within questionnaires, by conducting some simple research.

Show how you are addressing gaps in security

Thirdly, where gaps appear. Try and detail carefully how your business may improve a data security control – aligned with requirements of the Standard.

Careful preparation and appreciation of the data security topic and its lexicon may appear beyond the remit for some. But look at the situation like this: to be receiving data security questionnaires, you are likely to be holding valuable data. As such maintaining a copy of ISO27001 and appreciating its format is not too much to ask.

After all, if you reply incorrectly you may just lose that valuable customer contract.

Marcus Allen
Parker Management Consultants

Comments on this post:

There aren't any comments for this post yet. Why not be the first to comment?

Share your experiences:

Your Name  
(to appear with your comment)
Email Address  
(will not be published)
Human Validation Check  
In the box below, please type the characters that you see in the picture. This helps us to ensure a real person (and not a crafty computer!) is submitting this form.

Enter the code shown to the left:

Parker Management Consultants, 1st floor, Dominion Court, 43, Station Road, Solihull, B91 3RT Contact us here