As suppliers signup to the platform and complete their security profiles, you can setup your policies within Risk Ledger and assign supplier tags to automatically calculate a compliance score.
What is Compliance?
Compliance is a measure of how many of the security controls that a supplier has implemented align with the requirements that you have applied over that supplier, within your applicable policies.
π‘To calculate a suppliers compliance you must have tags applied to that supplier. If there are no tags applied the compliance score will automatically sit at 100% as there will be no policies applied over their assessment. If this is the case the platform will display a warning message on the supplier overview page under the "Policies Applied" card on the right hand side of the page.
How is The Compliance Score Calculated on Risk Ledger?
A suppliers compliance score is automatically calculated by looking at the applicable requirements in your policies and comparing them against a suppliers assessment to give you a percentage output as a score.
The Suppliers Overview page gives you a quick snapshot of their overall compliance and highlights which domains are the most and least compliant.
You can view which controls are compliant and which non-compliant in detail by navigating to the "Assessment" tab.
You can filter for all compliant or non-compliant controls by selecting them in the "Filter by..." panel on the right hand side of the page.
To view further context for a control you can expand the control by clicking into it. From there you can see what your policy requires and can take action from there either by starting a discussion with your supplier, requesting remediation, or applying an exemption to the control (see below).
Applying an Exemption to a Non-Compliant Control
π‘If a supplier marks a control as N/A but your policy requires that control to be in place the platform will still mark that control as non-compliant. This is so that you do not miss any potential security gaps. To accept the N/A response as a compliant, you can apply an exemption to the control.
An exemption makes a non-complaint control compliant. An exemption is a way for you to remove the requirement for a supplier to have a control implemented. You may want to do this if a supplier falls under a requirement that, upon examination, you don't think is relevant to them.
To apply an exemption, please follow the steps below;
Navigate to a suppliers assessment page.
Locate the control that you would like to apply non-compliance against. Please note, you can only apply non-compliant against a control that is compliant.
Click on the control to expand it. To apply non-compliance, click the "Apply Non-Compliance" button.
Enter a reason for applying the non-compliance and click "Apply Non-Compliance".
You can remove the non-compliance by following the above steps for a control on which a non-compliance has been applied and the "Remove" button next to the "Non-Compliance Applied" box.
For non-compliant controls you can request that a supplier remediate the control.
Apply Bulk Exemptions or Non-Compliance:
You can apply exemptions or non-compliance to multiple controls at once by selecting the controls using the tick-box to the left of a control and selecting "Apply to Selected" button on the top right corner of the assessment page.
π‘ If there is anything we haven't covered, please feel free to contact us at support@riskledger.com or alternatively, select the Chat icon in the bottom right corner.