Subcontractor compliance audits
Security is above all a question of means and processes , but also of clear and transparent information for customers. It is essential that you be very demanding as regards your subcontractor (hosting provider for example) in terms of security, availability and operating conditions.
Such an audit is not intended to give a certification with respect to a particular standard; rather, the goal is to assess the state of the organization of the security of your subcontractor’s information systems with respect to technical and regulatory standards, and also with respect to the contract that binds you. On the other hand, the audit must show (supported by evidence) how the operational reality corresponds to what has been signed between you and your subcontractor and must show that it fully meets your security needs, including data protection aspects.
After a documentation analysis (Information System Security Policy, Quality Assurance Plan, Security Assurance Plan, Backup Plan, etc.), on-site interviews are conducted with the subcontractor.