Third-Party Risk Management

Third-Party Security Risk Management Service enables necessary measures to be taken and secures a sustainable structure to be established within supply chain processes and applications. The overall aim of this service is to minimize the risks arising from the third-party companies to which organizations are dependent on, in terms of external sources, essential to their operational and business management processes.

In order to establish a sustainable and reliable supply chain with supplier security service, the processes, assets, processed data and system accesses operated by the parties under the corporate structure are defined accurately and in detail. With this service, security vulnerabilities that may arise from suppliers are easily identified, and solutions for these vulnerabilities are ensured to comply via international standards regarding specified information security and supply chain management. The service also allows to prevent data, services, operations, workforce, time, reputation, and financial losses originating from the supplier chain.

The Scope of the Service

The services offered under the scope of the Supplier Security Service are defined below.

3rd Party Supplier Security Consulting Service
3rd Party Supplier Security Risk Analysis Service
3rd Party Supplier Security Basic / Awareness Training
3rd Party Supplier Security Audit Service

Within the scope of these services;

The outline and the framework of the current situation analysis and data collection are determined
The necessary methodology is created for the establishment of the supply chain inventory of the organization
The organizational structure and the supply chain system are examined
The risks arising from the supplier service are analyzed.

Service Benefits

The trust of organizations that purchase products/services is reinforced.
Customer needs are met, customer satisfaction is ensured.
Security risks are determined accurately, and necessary precautions are defined.
The brand image/reputation of organizations is increased.

Resources Adopted in Service Delivery

ISO 27001 Information Security Management System Standard ISO 27002 Annex-A Controls
DDO Information and Communication Security Guide
Personal Data Protection Law and Board Decisions
ISO 27008 Information Security Standard in Supply Chain Management
NIST SP800-161 Supply Chain Risk Management Standard

Supplier Security Service

Supplier Evaluation Service

The critical suppliers that the organization works with are determined.
Administrative and technical deficiencies in suppliers' business processes are identified.
Data sharing with suppliers is analyzed within the scopeof KVKK.
Supplier contracts are examined within the scope of KVKK and ISO 27001 A.15, as well as their suitability is evaluated.

Risk Analysis

The risks in the business processes and IT infrastructure of the supplier company are determined and the necessary action plan is selected.
The compliance of the supplier IT infrastructure with the KVKK technical measures, ISMS Annex-A controls and DDO Information and Communication Guide are analyzed.

Awareness Training

Information security awareness trainings are conducted to the staff of the supplier company.

Supplier Audit Service

Supplier companies are audited within the scope of ISO 27001, KVKK and DDO Information and Communication Guide.

Who Should Adopt This Service?

All organizations that have or would like to have ISO 27001 Certificate (in accordance with the A.15 Supplier Relations article of ISO 27002),
All organizations that have external dependency within the production of goods or services,
Public institutions, organizations and businesses that are obliged to comply with the Digital Transformation Office Information and Communication Security Guide.