Supplier Audits

As per the requirements imposed by Article 8 of the Communiqué on Principles to be Considered in Information Systems Management in Banks published by the BRSA, banks are obliged to audit the information security level at their suppliers, as well as in their own organization. These requirements are subject to penal sanctions.

The objectives of supplier audits include the following, among others:

  • Consider the decision to cooperate with a supplier with respect to profitability,
  • Specify expectations in contracts made with suppliers; communicate these expectations to the counterparty through duly incorporating them in the contract and audit the same,
  • Analyze the risks involved in the cooperation with the given supplier,
  • Avoid the potential consequences resulting from the supplier’s possible inactivity.

Depending on the organization’s needs, there are four types of audits:

  1. Startup Audits: Highly comprehensive audits during which new supplier firms that will start working with the organization are audited in detail and information security risk level is established.
  2. Regular Audits: Comprehensive audits during which supplier firms working with the organization are audited at regular intervals on the firm’s campus and information security risk level is established.
  3. Follow-up Audits & Progress Reporting:  Audits conducted on a mutually set date or within no later than 3 months upon identification of a critical vulnerability as written in the audit report. The scope of such audit is restricted to the vulnerabilities identified during the earlier audit.
  4.  Emergency Audits: Extensive audits during which case-specific relevant elements are audited in detail, in the event of an information security incident experienced by the supplier firms working with the organization, and the information security risk level is established exclusively for the elements in connection with the emergency.

Basically, the need-based scope of work covers the following:

  • Documentation
  • Internal Risk Assessment Processes/Methods
  • Management System Initiatives (CGS, ISMS, BCMS, EMS, …)
  • Security Processes/Assignment
  • Physical Security
  • Personnel Security
  • Information Asset Acquisition/Disposition
  • System Management
  • Technology Security
    • Network Security
    • Application Security
    • Server/Client Security
  • Business Continuity
  • Supplier/Customer Communication Processes Security
  • PCI DSS Compatibility Level