A supplier breach is your breach. When a third-party processor leaks your customer data, the ICO does not send the fine to your vendor — it sends it to you, the controller. Yet most UK organisations still rely on a ten-question security questionnaire emailed during procurement, signed off by someone in finance, and never reviewed again until the contract renews three years later.
ISO/IEC 27001:2022 sharpened the screws on this. Control 5.19 (information security in supplier relationships), 5.20 (addressing security within supplier agreements), 5.21 (managing information security in the ICT supply chain), and 5.22 (monitoring, review and change management of supplier services) collectively demand that suppliers are assessed before onboarding, contractually bound to defined security obligations, and reviewed on an ongoing basis. Auditors are no longer satisfied by a SharePoint folder of unread SOC 2 reports.
The questions below are the ones our consultants ask during ISO 27001 supplier due diligence engagements. They are designed to surface the risk a glossy sales deck is built to hide. If a prospective supplier cannot answer them clearly, in writing, with evidence — that is your answer.
Why supplier due diligence has become an audit hotspot
UKAS-accredited certification bodies have spent the last eighteen months focusing audit attention on Annex A controls 5.19 to 5.23. The reason is straightforward: the supply chain is where most uncontrolled risk now sits. Your own perimeter is hardened, your staff are trained, your MFA is on. The same is rarely true of the small SaaS vendor processing your payroll, or the marketing agency with admin rights to your CRM.
The NCSC's Supply Chain Security Guidance (updated 2022) sets out twelve principles UK organisations are expected to apply when assessing suppliers. Audit teams use these as a benchmark. Separately, the UK government's Cyber Security and Resilience Bill — currently progressing through Parliament — is expected to extend supply chain accountability for operators of essential services and managed service providers. The direction of travel is clear: third-party risk is becoming first-party liability.
For regulated firms, the FCA's operational resilience rules in PS21/3 already require firms to identify and manage risks from third-party dependencies that support important business services. ISO 27001 alignment is one of the cleanest ways to evidence that work.
The 7 questions that expose third-party risk
1. "Show us your most recent independent security assessment — and the remediation log."
Anyone can produce a Cyber Essentials certificate or a SOC 2 Type II cover page. The signal lies in what came after. Ask for the report itself, the findings, and the closure evidence for each high or medium issue. A supplier who treats audit findings as a project plan is mature. A supplier who treats them as a marketing artefact is not.
If the supplier claims ISO 27001 certification, request the Statement of Applicability and the certificate number. Verify it on the UKAS-accredited certification body's register. We routinely find suppliers citing certifications that expired eighteen months ago, or that were issued by non-accredited bodies whose certificates carry no audit weight.
2. "Where exactly is our data processed, stored, and backed up — and under whose jurisdiction?"
Under UK GDPR, international data transfers require either adequacy regulations, the International Data Transfer Agreement (IDTA), or the UK Addendum to the EU SCCs. A supplier who answers "the cloud" or "AWS" has not done the work. You need region-specific answers: London, Dublin, Frankfurt, Virginia. You need to know where the sub-processors sit. You need the transfer mechanism documented and signed.
This question also flushes out sub-processor chains. The supplier may host in London — but their support team in a third country has read access to the database. That is a transfer.
3. "What is your documented incident notification timeline to us, and how is it triggered?"
Under UK GDPR Article 33, controllers must notify the ICO within 72 hours of becoming aware of a personal data breach. If your processor takes seven days to tell you, you have already failed. The contract must specify a notification window measured in hours, not days, and define what triggers the clock — detection, confirmation, or root cause analysis.
Ask to see their incident response runbook. Ask when it was last tested. A supplier who has never run a tabletop exercise will not perform well during a live incident.
4. "Who has privileged access to our data, and how is that access reviewed?"
This question targets ISO 27001 Annex A 5.15, 5.18, and 8.2. You want named answers: which roles, how many people, what authentication, what logging, what review cadence. "Only authorised personnel" is not an answer. "Three named SREs with hardware-key MFA, access reviewed quarterly by the CISO with logs retained for twelve months" is an answer.
5. "Show us your sub-processor list and how you assess them."
Your supplier's suppliers are your suppliers. The chain is only as strong as its weakest link, and the weakest link is usually three steps down. A mature vendor maintains a public sub-processor list, notifies customers of changes, and applies a tiered due diligence process to its own vendors.
If they cannot produce the list, assume it does not exist. If they will not commit to prior notification of changes, that clause needs to go into the contract before signature.
6. "What happens to our data on contract termination — and how do you prove it's gone?"
Exit is the most neglected phase of vendor management. The contract should specify the format of returned data, the timeline for deletion across primary systems and backups, and the form of attestation. A certificate of destruction signed by an executive carries weight. A verbal assurance does not.
This matters operationally too. If your supplier holds your data hostage during a commercial dispute, your business continuity plan needs to have anticipated it.
7. "What single security incident in the last 24 months are you least proud of, and what did you change?"
The most revealing question on the list. A supplier who claims zero incidents is either lying or not looking. A supplier who can walk you through a genuine incident — what happened, what they got wrong, what they fixed — is operating at the maturity level you want. This question separates the marketing team from the engineering team.
Common mistakes we see in supplier programmes
Treating the questionnaire as the assessment. The questionnaire is the start of the conversation, not the end. Evidence requests, follow-up interviews, and contract clauses do the actual work.
Onboarding without tiering. Not every supplier needs the same depth of assessment. A coffee supplier and a payroll processor warrant different treatment. Tier suppliers by data sensitivity, system access, and business criticality, then apply due diligence proportionate to the tier.
One-and-done assessments. Controls 5.22 explicitly requires ongoing monitoring. Annual reassessment of high-tier suppliers is the minimum. Material changes — acquisition, new sub-processors, reported breaches — should trigger out-of-cycle review.
No contractual teeth. Security obligations that are not in the contract are not obligations. Right-to-audit clauses, breach notification windows, sub-processor consent, and data return terms must all be written down.
A practical vendor risk management framework
- Tier the supplier by data classification, access level, and operational dependency.
- Issue a proportionate questionnaire aligned to ISO 27001 Annex A and NCSC Supply Chain Principles.
- Validate the evidence — certificates verified on accredited registers, reports read, references checked.
- Negotiate the contract with security schedules covering notification, sub-processors, audit rights, and exit.
- Monitor continuously via threat intelligence, certification expiry tracking, and annual reassessment.
How Pyralink helps
Pyralink Innovation Ltd, led by Founder and Managing Director Michael Adedeji (CISM, CISA, CC, MSc Data Science), builds third-party security assessment programmes that survive audit and reduce real risk. Our team has implemented supplier due diligence frameworks for regulated firms, SaaS companies, and public sector bodies across the UK.
If you are preparing for ISO 27001 certification, our consultants build the supplier register, tiering model, questionnaire library, and contract clauses your auditor will look for. If you need ongoing oversight without hiring full-time, our fractional vCISO service runs the programme from £497/mo. For cloud-hosted suppliers and your own multi-cloud estate, CloudAuditX surfaces misconfigurations against ISO 27001, Cyber Essentials, and CIS benchmarks. More guidance sits in our insights, and you can stress-test your own posture with the free compliance scanner. We hold £5M professional indemnity insurance.