When procuring from a third-party supplier, it is necessary to manage the risk arising from this activity; therefore, it is important to use procedures that determine the purchase and sale of IT supplies by public and private companies in a certain and uniform manner. Among the many activities required for proper supplier management, particular emphasis deserves the risk analysis, control and mitigation process (risk assessment, risk management & risk remediation), which is the core upon which the main ISOs defining quality procedures (ISO 9001:2015) and information system security management (the entire ISO/IEC 27000 family) are oriented.
The implementation of appropriate risk management plans is particularly necessary to correct the procurement of the necessary security protocols, ****nor to equip it with a record of success/failure that can guide the parties involved towards a culture based on uncertainty foresight and prevention.
The main features to be observed in a risk management process include:
a deep knowledge of the organisation, the context in which it operates and its main objectives;
a correct identification of the company's functions, processes and assets, accompanied by an appropriate change management plan of the same
a continuous classification, as well as constantly updated, of critical processes and processed data, with the adoption of the necessary countermeasures aimed at mitigating possible risks
formal documentation (policy), constantly updated and periodically administered to trainers through special training sessions.
Business Impact Analysis
In turn, Risk Assessment activities cannot disregard an impact analysis aimed at determining the impact and repercussions on the company's business of internal or external events that could cause the interruption of production or the provision of services.