Information security risk assessments for new third parties

Requesting an information security third party risk assessment for new suppliers, services, products or applications that are not already supported by IT Services.

The information security risk assessment is a due diligence activity to gain assurances on the overall security controls of suppliers, their services and products.

As outlined in sections 4.2 (New Processing) and 4.10 (Third Party Processing) of the University's Data Protection Policy, information security third party risk assessments are required for all new suppliers, services, products and applications.

Benefits of risk assessments

Information security third party risk assessments are completed against new suppliers, services, products and applications to ensure that the University is processing and granting access to its data in an appropriate manner that is proportionate with the risks involved.

Key benefits

  • Gain assurances that our suppliers and products are appropriately protecting the University’s data
  • Reduce the risk of information security incidents
  • Make management aware of the supply chain risks to the University’s data
  • Standardised assessment methods ensure a consistent approach to measuring supply chain and product risk
  • Ensure compliance with legal and policy requirements
  • Enable informed decision making when selecting new suppliers

Lead Times

The time taken to complete an Information Security third-party risk assessment can vary based on many factors but, from start to completion requestors should expect a time scale of roughly 4 weeks. This lead time includes a dependency on the responsiveness of suppliers.

Process Overview

1. New IT Product Request via your Business Relationship Manager (BRM)

2. Information Security self-assessment form

3. Self-Assessment review

  • The completed Self-Assessment form is reviewed by a member of the Information Security team.
  • Based on the review, the potential supplier could be asked to complete a supplier questionnaire or asked some specific questions.
  • The results from the above will be reported back to your BRM who will be in touch with you.

4. Data Protection Impact Assessment (DPIA)

  • A DPIA may also be required, depending on the nature of the request and its outcome.
  • If this is the case, your BRM or a member of the Data Protection Team will be in touch.