Purpose: The purpose of this section is to establish whether the organisation is aware of the risks to its objectives, and to find out how resilient the organisation is to withstand unexpected disruptions to its operations. They also want to know what security systems you have in place to protect information.
Key questions for the Buyer:
- Has the organisation identified all the key risks associated with its business?
- Have they taken the necessary actions to ensure the organisation can provide the services being contracted? Does the organisation know how it will respond to disruptions and is it well prepared?
- Has the organisation recognised security risks to information and implemented a system to mitigate against these?
Either Pass/Fail or scored based on the organisation’s progress towards achieving a recognised Risk Management approach, business continuity plan or information governance policy.
Information typically requested:
- A copy of your Risk Management approach/policy
- A copy of your Business Continuity Plan
Example supplementary questions you may also be asked:
- Business Continuity Exercise reports for the last and next 12 months
- A copy of your Information Security Policy
- Write a policy for each of these areas and keep them in your PQQ file.
- Create action plans which show how these policies will be or are implemented within your organisation.
- Make sure all employees understand your policies and have access to copies.
- Monitor your efforts and review your policies annually and whenever there are changes in your business.