Cyber Essentials based Supplier Cyber Security  Questionnare

Who should use this CE-based Supplier Cyber-Risk Questionnaire

​

With increasing threats of cyber-terrorism, malware and data theft, the prioritisation of good information security practices within a business is key to avoiding fines, reputational damage and loss of business. Common weak are often from the supply chain or third parties which, given a wide spread of risk, makes it useful to have a risk-proportional approach to questionnaire in this area. Organisations that wish to avoid dealing with non-compliant suppliers and minimise exposure to high-risk data practices This will assist with ensuring a foundational level of information security within an organisation, particularly where the risk is low. As such, it is a useful baseline standard of security in a supply chain.

​

How this Supplier Security questionnaire was developed

​

This questionnaire is based on the government-backed Cyber Essentials scheme, designed to help protect organisations of various sizes against a whole range of the most common cyber attacks. The content of the scheme covers some of the most basic cyber-security practices than an organisation can adopt. The questions in this Supplier Cyber Security Questionnaire in Rizikon Assurance are derived from those that an organisation will answer when applying for cyber essentials, with the scoring also being highly correlated.

​

Cyber Essentials Supplier Questionnaire Questions, sections and scoring

​

The structure of this CE-based Supplier Checklist covers the fundamental areas of Office Firewalls and Internet Gateways, Secure configuration (such as password procedures), Patches and Updates, user and administrative Accounts, Malware Protection, and others. It also gathers basic information on the company in question and the scope of the questionnaire to ensure the relevance of the questionnaire is clear. There are only 9 sections in total. The questions are “negatively” scored on a tiered basis – answers can be provided that are either scored Minor, Major or Fail, whereas compliant answers will simply remain un-highlighted. These scores indicate that organisation is potentially not operating within a pass mark of cyber essentials. Minor scores indicate advisory notes, whereas majors and fails indicate serious non-conformity with best practices as outlined in the scheme. The overall questionnaire score will be inherited from the most severe question score provided, highlighting their point of least compliance.