06 May 2005

Offshoring: Audit Processes and Facilities

Thanks to Christopher Koch for his article on "Don't Export Security".

U.S.-based companies routinely underestimate the extra elements of risk introduced into the offshoring equation by issues like poor infrastructure, political instability and legal systems that don't line up with Western practices, says Ken Wheatley, vice president, corporate security of Sony Electronics. "People are so focused on saving money and shifting operations that they don't think about the safeguards that need to be put in place," he says. "They assume that people in different countries have the same mind-set and safeguards and sense of due diligence, and that's just not the case."


Ken Wheatley is correct and more companies need to have offshoring due diligence that makes sense. Here are a few key questions for any organization considering an outside supplier relationship.

What is the importance of the function or process being performed to the mission critical components of our daily operations? If the answer is high, then you know that your first risk mitigation step may be to re examine whether this should ever be outsourced!

If the answer is medium or low, you should ask for the last audit results on these key areas of ISO 17799. And if these haven’t been audited, then why risk handing over any activities to any supplier without thorough due diligence.

A.12.1- Compliance with legal requirements to avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.

A.11.1 - Business continuity management to counteract interruptions to business activities and to protect critical business processes from the effects of major failures and disasters.

A.7.1 - Secure areas to prevent unauthorized physical access, damage and interference to business premises and information.

A.6.1 – Security in job definition and resourcing to reduce the risks of human error, theft, fraud or misuse of facilities.


All the controls and standards don’t mean a thing until someone tests their effectiveness. Sadly, many organizations still have a long way to go to becoming compliant with even their most fundamental security policies

No comments:

Post a Comment