Simplifying Third-Party Risk Management

Expert insight into DORA’s impact and securing your supply chain

Andrew Pattison has 30 years’ experience in information security and risk management, having worked in GRC (governance, risk and compliance) since 1994. He holds an MSc in Information Systems Management, as well as CISM® and CRISC® certifications.

Now, he’s the head of GRC consultancy at IT Governance Europe. Among other responsibilities, he leads our ISO 27001 training courses.

We previously chatted to Andrew about simplifying your ISO 27001 risk assessments. These are a fundamental requirement to both ISO 27001 and information/cyber security in general. So, we sat down with him for another chat on this topic.


In this interview

  • What Andrew likes about risk assessment.
  • The importance of keeping risk assessments simple.
  • How DORA might change how organisations manage risk.
  • How organisations can simplify supply chain risk management.
  • Considerations around risk when outsourcing, e.g. to a Cloud provider.

Why do you like risk assessment so much?

I like how you get answers if you conduct a risk assessment well. I also enjoy the intellectual challenge.

Although people tend to think of them as complex, they’re more about doing the simple things well. That can be difficult to achieve. As I said previously, the nature of these processes is that you complicate things whenever you properly look at and address your risks.

What may also make risk assessment more challenging – at least, to some people – is the fact that they’re not terribly exciting. Again, it’s about doing the simple things well.

I suppose you could say the same about cyber and information security in general. They’re about keeping it simple.

Yes, exactly. I generally like to simplify things – not just risk assessment.

For instance, take the 18 CIS Critical Security Controls. This framework talks about ‘safeguards’. But what are safeguards? They’re controls!

I see this a lot. New frameworks constantly emerge, and they always try to make it look as though they’re doing something different. In truth, they rarely do. There are only so many ways you can require access control, for example.

The same applies to a wide range of other basic measures. They might introduce new words, but rarely new concepts.

New regulations have that same pattern. Often, you just need to figure out how they map onto an existing framework.

For example, the relatively new DORA [Digital Operational Resilience Act] requires a few basic things. Risk management, for example, but it also requires incident response, security testing and supply chain risk management.

You can easily map such requirements against those of ISO 27001 and other existing frameworks.

Note: Andrew talked in more detail about how you can simplify DORA compliance with ISO 27001 in this interview.

Will DORA change the way organisations manage risk?

Well, I certainly hope that the DORA Regulation will encourage organisations to get a better handle on their supply chains.

Supply chains tend to be incredibly complex. In my experience, supply chain risk assessment is something that virtually all organisations struggle with.

So, it’s great that DORA is giving organisations an incentive to make them more straightforward! Because this will also simplify compliance, as well as generally improve efficiency and reduce costs.

And, of course, this simplifies risk management.

How can organisations simplify supply chain risk management?

DORA focuses on critical organisations to the EU economy and society at large. Specifically, financial organisations and their ICT supply chains. EU lawmakers are making Europe as a whole more robust by focusing on the critical entities.

Simplifying risk management works in a similar way. Identify your critical systems, services and data first – the ones that are sensitive and/or that you couldn’t run your business without.

Then, look at what the risks to those critical assets are. Or, in the case of supply chain management, which suppliers may affect them.

Let me give you a sense of the numbers. If an organisation has 1,000 suppliers, only 30 may actually be critical. Maybe even fewer. So, you’re looking at tiny percentages.

With that in mind, categorise your suppliers by asking:

  • Which are critical?
  • Which have access to your most sensitive data?
  • Which are running systems that, if disrupted, prevent you from doing your day-to-day business activities?

Concentrate on those first.

What else should organisations be aware of when outsourcing?

Organisations, and especially managers, often see outsourcing a service as outsourcing a problem. They tend to see the benefits alone, and overlook the risks.

But what outsourcing really does is change the nature of the risks. It doesn’t eliminate them.

I hope that through laws like DORA, organisations will start looking at this differently. DORA explicitly requires organisations to manage the risks in their ICT supply chain. This allows them to understand the risks better, and be better able to articulate them.

So, when the organisation makes decisions about outsourcing, it’s looking at the full picture – not just the benefits.

Outsourcing isn’t getting rid of a risk, but sharing and changing it.

For example, suppose you moved your information into the Cloud. You’d then get the real benefit of access to technical services and functions you may not have internally. That’s particularly true for smaller organisations.

However, you also introduce the risk of being reliant on security measures over which you have limited or even no control.

What should organisations be aware of when sharing the risk with a Cloud service provider?

Again, there are lots of benefits to the Cloud, but there are also risks – most notably, losing control of your data.

Be aware that by outsourcing to a Cloud provider, you’re sharing the data. So, who can access it now? Is it just your service provider, or some other third party or parties it’s contracting?

If there is a third party, how secure is it? Where is it based? If outside the EU, are you legally permitted [under the GDPR] to share data with it? Also, if you delete information on your end, is it really deleted?

With the Cloud, you’re dealing with virtualised servers. Those are often part of huge infrastructures backed up elsewhere. That’s very different to conventional servers, of which you can physically destroy their hard drives. So, again, where is that information, and can you truly delete it?

You have to understand the risks involved, so that you can do something about them as well as weigh them up against the benefits.

Also, recognise that there’s a trust boundary involved: you must trust the other party to do what they say they’re doing. That said, there are certain things you can do. Checking whether they have ISO 27001 certification, for example, and asking questions like the ones I just did.


Keen to reduce errors and improve completeness of your risk management processes?

CyberComply is a Cloud-based, end-to-end solution that simplifies compliance with a range of cyber security and data privacy standards and laws, including ISO 27001 and DORA.

This SaaS platform will help you manage all your cyber security and data privacy obligations in one place. You’ll gain immediate visibility into critical data and key performance indicators, and stay ahead of regulatory changes.


We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back next week, chatting to another expert within the Group.

In the meantime, if you missed it, check out our last Expert Insight blog, where Mark James, privacy consultant at our sister company DQM GRC, gave us his expert insights into data seeding.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.