Having been practicing in Data Security for 7 years, I am always amazed at the ‘un-coordinated’ approach that SME’s take to the effective management of data security questionnaires from their key / main customers.
Data security questionnaires really seem to have picked up rapidly after the Hannigan report into mass data loss in the public sector a number of years ago. Prior to this SME’s did not really appear to be too troubled with regards intrusive questioning of their data handling techniques. Also the increased fines that the ICO can now impose has ‘sharpened’ the focus. Prior to this, fines for data loss were somewhat perfunctory at best.
Many Directors of SME’s simply appear to go about the effective response to a customer questionnaire in completely the wrong way. The questionnaire is received and is completed in a superficial format without any detailed assessment of what is being required.
Often I see absolute ‘miss-understanding’ of a particular question and in consequence a response is put-forward which is totally irrelevant to the question being asked.
Indeed I have seen owner-managers literally wrecking their most important relationship with a premier customer through pure ignorance and application of factually in-appropriate submissions.
Having reviewed dozens of such completed questionnaires over the years, I have often advised a complete re-write. The Director will look at me amazed – as if to say there – there was nothing wrong! Indeed there was sadly often little right in these submissions.
So what are the pitfalls and what can an owner-manager do when faced with these byzantine questionnaires.
Well, in most cases data security questionnaires are predicated upon ISO27001: 2013 the International Standard for information security. In the US SAS 70 is often referred to. Questionnaires largely take themes from the Annex A of this Standard and group into topics of ‘check-points’ that the supplier must fill in.
So, if your business does not have ISO27001 and holds data, it might be a good investment to purchase a copy of this International Standard.
Once purchased, I would advocate creating an Excel spread-sheet and working through all the topics and juxtapose with your current arrangements in-house.
Often there will be ‘yawning gaps’. But, you must start somewhere.
Secondly I would strongly recommend understanding some of the key terms and definitions within questionnaires, by conducting some simple research. Thirdly, where gaps appear. Try and detail carefully how your business may improve a data security control – aligned with requirements of the Standard.
Careful preparation and appreciation of the data security topic and its lexicon may appear beyond the remit for some. But look at the situation like this: to be receiving data security questionnaires, you are likely to be holding valuable data. As such maintaining a copy of ISO27001 and appreciating its format is not too much to ask.
After all, if you reply incorrectly you may just loose that valuable customer contract.