Streamlining Supplier Questionnaires

A Standardized Approach for Efficiency 

Let's talk supplier questionnaires!  

It's easy to gloss over how long it takes for everyone involved to undertake supplier due diligence. Typically, information from potential suppliers is collected via a Word document or an Excel spreadsheet to assess the risk associated with working with that supplier or for them to process the compiled data.

Manually reviewing this information is arduous and open to human error. Getting the information out of these documents and into reporting platforms and dashboards can involve manual rekeying, adding more time to the review process and increasing overall risk.  

Larger suppliers have the resources, but at the other end, start-ups, SMEs, lone practitioners, barristers, and advisors have a huge issue. They must fill out a different questionnaire for every company they work with. Sometimes taking weeks to finalize, this crucial process can be a bottleneck in the procurement pipeline. What if there was a way to simplify collecting this information and standardizing the questions? 

Standardization across suppliers' due diligence will make it easier for everyone involved while maintaining essential checks to ensure cybersecurity standards. In collaboration with a group of UK CIOs and CISOs, we took the infosec questionnaire as a starting point, used the NCSC's Cyber Assessment Framework (CAF) as the basis of the questions, and created a standard questionnaire.

Organizations can use this automated questionnaire to send to potential suppliers via a link; the supplier clicks the link, fills in the answers and attaches any required copies of certificates or policies. Once complete, the supplier receives a PDF back with their completed answers. The company supplying the questionnaire receives an updated record with a copy of the document for their records, and the captured data can be used to update their dashboards or reporting systems automatically, reducing the time it takes to update and review. By standardizing this approach across industries, suppliers can ensure they work towards the principles required by the NCSC, and the time to answer is expedited.

While the CAF provides a robust methodology, it does not eliminate the need for expertise and sector knowledge in assessments. The Indicators of Good Practice (IGPs) offer a solid baseline but should be applied with relevant NCSC guidance on the principles. Conclusions require factoring in additional considerations and unique circumstances.

Assessments demand informed judgment - the CAF is a starting point, not an endpoint. For more on conducting quality assessments, see the NCSC's CAF guidance page: NCSC CAF guidance - NCSC.GOV.UK. 

More about CAF 

The Cyber Assessment Framework (CAF) is a comprehensive cyber resilience evaluation tool developed by the UK's National Cyber Security Centre (NCSC). Designed to be used by organizations themselves or independent regulators, the CAF provides a systematic approach to assessing cyber risk management. It builds on the NCSC's 14 high-level cyber security principles and includes detailed Indicators of Good Practice to evaluate whether desired outcomes are being achieved.

While created to support cyber regulation, the NCSC has no regulatory authority itself. Organizations should consult relevant regulators on utilizing the CAF to demonstrate compliance. The CAF enables organizations to assess their cyber resilience against established best practices thoroughly. As cyber threats evolve, it offers a robust methodology for identifying and addressing potential vulnerabilities.

The full Cyber Assessment Framework is available on the NCSC website for those interested in learning more about this cyber risk evaluation approach.