Book FREE Consultation

URM is pleased to provide a FREE 30 minute consultation on Transitioning to ISO 27001:2022 for any UK-based organisation. Once an enquiry form has been submitted, we will be in touch to understand the nature of your enquiry and to book a mutually convenient time for a 30-minute consultation slot with one of URM’s specialists.

Auditing Suppliers and Third Parties

Flexible range of audit services from planning and implementing to conducting individual audits

Auditing Suppliers and Third Parties

It has always been the case that many organisations rely on third parties to deliver products and services to enable their businesses to function effectively.  With the advent of cloud services, and the increasing number of cloud-based products and services on offer to organisations, third party reliance is likely to increase further in the future.

But how do you know that the service you are receiving from your third parties meets all of your expectations, particularly in terms of information security?

The obvious answer is to audit your third parties against your policy and control requirements in order to verify that they are operating as you expect them to.  However, with an increasing number of suppliers to audit, many organisations simply do not have sufficient resources.  In addition, a number of organisations do not have the specialist technical knowledge to assess their cloud-based service providers.

Prioritisation of Suppliers

URM can support you in auditing your suppliers and other third parties (confusingly referred to as second party audits!).  The first step is helping you understand the extent that you rely on each third party and the importance of its services to your organisation.  Understanding the risks that the individual third parties present to your business from an information security, business continuity and quality perspective, will help you in prioritising your second-party audits.

You may find that low-risk third parties can be adequately dealt with by a self-assessment questionnaire, leaving audit resources available to focus on the higher-risk third parties.  Abriska 27036, URM’s Supplier Risk Management Tool, can play a valuable role here.

Range of Auditing Services

Having identified your high-risk third parties, URM can offer you a range of services from a full audit service programme to conducting ad hoc or selective second party audits on your behalf.  With a full audit programme, we will propose a methodology and schedule for conducting audits of your suppliers and third parties.  In conjunction with you, certain suppliers will be prioritised based on factors including criticality, risk assessment findings, incidents, previous audit findings or contractual requirements.

In terms of conducting audits, our auditors are not only experienced in performing all types of process and system-based audits, but are also geographically located around the country.  As such, should you be looking for an on-site audit to be carried out anywhere in the UK, we can accommodate your needs.

At the end of the audit, you will be presented with a comprehensive report, adopting your audit approach, your internal style and your template.  URM can help you with any action/nonconformity management of your third parties through to a successful conclusion or you can manage this yourself.

Either way, drawing on URM’s expertise can provide you with resource flexibility to deliver an effective and appropriate third-party audit service.  Such a service will help assure your stakeholders that your third parties meet your information security or business continuity requirements and that you are managing your supplier risk.

Get in touch

Please note, we can only process business email addresses.

Why URM?


Audit and subject matter specialists

URM’s expertise incorporates a combination of auditing skills (e.g., CISA and PCI QSA qualifications), knowledge of standards (e.g., ISO 27001, ISO 22301, ISO 9001 and PCI-DSS), IT technical knowledge (e.g., databases, networking, operating systems and applications) and the interpersonal skills necessary to extract the maximum information from interviewees.  URM guarantees that the competence requirements from Clause 7.2 of ISO 27001, 22301 and 9001 will be met in respect of its auditing services.

ISO certification specialists

When conducting internal audits for those organisations certified to ISO 27001/22301/9001 etc, URM is hugely experienced in understanding the assessment requirements of certification bodies.  This has been gained through assisting hundreds of organisations achieve certifications, sitting in on many of the assessments, as well as the fact a number of URM’s auditors are ex-certification body assessors.  As such, when conducting internal audits, we will ensure the same reporting approach to nonconformities etc will be adopted.  It is also guaranteed that all of the mandatory internal audit requirements from Clause 9.2, along with the control requirements from ISO 27001 will be satisfied if the whole of your internal audit programme is outsourced to URM.

Flexible and pragmatic

URM can offer your organisation a flexible range of audit services from planning and implementing a full 3 year’ ISO 27001 audit programme, to conducting individual audits against any aspect of the ISMS or any specific controls.  Our auditors are also able to apply a pragmatic business-based approach to audit requirements.

Information Security FAQISO 27001 FAQ

Developing an ISO 27001 Information Security Policy

Published on
5/11/2024

URM’s blog discusses how to develop and implement an information security policy that fully conforms to both your organisation’s and ISO 27001 requirements.

Read more
Thumbnail of the Blog Illustration
Internal Audit
Published on
18/10/2024
Internal Auditing of Management Systems

URM’s blog explains how to plan and execute effective and conformant internal audits of management systems at each stage of the internal audit process.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
4/10/2024
Implementing and Auditing ‘People Controls’ from ISO 27001:2022

URM’s blog explains why ‘people’ warrants its own control theme in ISO 27001 and how to prepare for a people controls audit, offering advice for each control.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
20/9/2024
ISO 27002, the Unsung Hero

URM’s blog explains what ISO 27002 is, how it can benefit your organisation, & how you can use it to support your implementation of an ISO 27001-conformant ISMS

Read more
"
The partnership approach URM takes is genuine. Our relationship with URM is not hard-nosed or overly commercialised, and feels much closer to a partnership arrangement than any other security consultancy providers we have worked with. If we had a new piece of work that we needed external help with, URM would be our first port of call for assistance.
CISO at University of Surrey
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.