Security assessments are meant for evaluating organization's readiness against a common security framework, like NIS2 or ISO 27001.
With vendor security assesment, an organization using Cyberday can improve their supply chain security by monitoring the readiness of suppliers and encouraging them to improve their own information security management.
Related article: Filling security assessments
Categorizing your vendors
Quite often organizations have at least 3 types of vendors differing by their importance and your bargaining power.
- High importance, low bargaining power: The global giants (e.g. Microsoft, AWS) that are often strongly certified and who you can't really affect as a customer
- HIgh importance, high bargaining power: The important suppliers that you've chosen to trust (e.g. provider of your ERP system, your sales partner) and you can demand something from.
- Low importance: The ones who don't have a big impact on your security posture.
You want to aim your security monitoring efforts - and e.g. your vendor security assessments, on the 2nd category.
To categorize your vendors, you can utilize this section on the documentation card:
Sending vendor security assessments
To prepare for sending an assessment to a vendor, you need to check out these steps:
- Categorize the vendor as requiring "Own monitoring actions"
- Fill the email to send the security assessment to
Once you've done these, you will see a section to send the assessment for the corresponding vendor.
Vendor assessment settings and overview
Vendor management features are located under the "Partner management" ISMS theme. You can see a "Assessments" tab on the front page of the theme, displaying the key metrics:
From the assessment settings modal, you can select security framework to base your assesments on.
Tip: Utilize a framework that is familiar to you, so you get more out from the vendor responses.
Experience for vendors recieving the assessment requests
Once you decide to send out assessments, vendors will receive an email like this:
The button will take them immediately to the assessment, without any signups or other obstacles.
After the vendor has filled out the assessment, they will see an overview of their results on a report.
Vendor can also choose to create their own Cyberday account on the last step, and get all this filled information immediately imported to their new ISMS.