Supplier disasters: The case for ISO 27001

Then one of your suppliers suffers a disaster. They cannot ship the raw materials you need. Now your supplier's disaster has become your disaster!

This should only be a bad dream. A large enterprise would have established risk mitigation practices to ensure that multiple suppliers are available for critical raw materials. A number of years ago I toured the manufacturing facility of a large PC server hardware vendor. While there, I posed a question on this subject, and they readily indicated that they source from three different manufacturers. Not only that, they perform audits on each shipment to ensure the component quality met standards they'd set. Furthermore, they regularly alternated between sourcing manufactures to ensure that the process to integrate an alternate component was always running well -- a sound and tested backup plan.

I suspect that all large enterprises source critical components from multiple suppliers to ensure a supplier's disaster never hurts the enterprise. But what about supplies for noncritical business processes? A large European enterprise approached me with an interesting question on this subject. They were in the process of updating their risk analysis for secondary back-office processes and stumbled across what appeared as a risk from their chosen supplier of desktop PC equipment. They required localized keyboards for PCs in branch offices of the various countries in which they did business – just as the French, German and Italian languages are different, so are their keyboards. They happened to know that their PC supplier's localized keyboard production facility was located in France. What if that facility is destroyed or compromised in some way? Would their supplier be able to build an Italian keyboard in another facility? They had not negotiated that requirement as part of their supplier agreement with the PC manufacturer, and realized they needed to update their PC supplier requirements. This is what they proceeded to do, ensuring that they would not suffer this risk.

What happens if only one supplier exists for a critical component? I'm sure you can think of a situation where this is the case. I've spoken with a smaller manufacturing company that sells about $250 million of product per year. They build very unique products that target the oil exploration industry. Two suppliers of one of their components exist in the market, but only one of those suppliers is able to produce the component with the quality that the company requires. This is a risk for the company, but they just plug along hoping that a large disaster never hits their supplier. They maintain large quantities on hand in reserve as a mitigation plan. I asked them if they have ever requested proof of business continuity plans from their supplier. They had not. Furthermore, they haven't created comprehensive business continuity plans for their own business operations. They only have about 20% of their business processes covered. I have found that this is the case in many small to medium-sized businesses, especially those that have been growing rapidly.

What I found surprising is that for the past 10 years, this small manufacturing company has focused on process efficiency, lean manufacturing, six-sigma quality and efficiency improvement, and has been ISO 9001-certified for about 15 years. But even with all of that, if their one supplier suffers a dramatic disaster, all of those quality improvement and lean manufacturing efforts will have been for nothing. (And yes, I keep bugging them about this, but the desire to rectify the problem has to come from the top.)

I've spoken to many other enterprises that demand proof of viable business continuity plans from their suppliers. And just as many of these enterprises have their customers demanding proof of business continuity plans from them. I have noted, however, that the supplier/consumer proof-of-business-continuity-plan requirements occurs ad-hoc. I have not seen a standard used in the United States. The ISO 27001 Information Security Management System certification standard is the only corporate-level certification standard that includes business continuity. It is almost three years old now and has seen some uptake in Japan. I'm hoping that corporations around the globe will begin to obtain ISO 27001 certification and demand the same of their suppliers as a proof point that suppliers have plans to survive any disaster the world throws at them.

Are you looking at ISO 27001 and demanding this certification stamp of approval of your suppliers?

What did you think of this tip? Write to us about your data center concerns at mstansberry@techtarget.com.

Rate this Tip To rate tips, you must be a member of SearchDataCenter.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Data center disaster recovery planning,   Data center operations management,   Managing data center outsourcing services and vendors,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Data center disaster recovery planning Data center pros must prepare for increased space weather Are you wasting disaster recovery budget to avoid employee inconvenience? Four ways to extend data center UPS battery life Why SunGard uses flywheel UPSes in its data centers Lower disaster recovery costs with open source replication tools Apple updates Xserve, Symantec ships DR monitoring software: News in brief Data center disaster recovery planning Google opts for battery backup over UPS: News in brief Avoiding disaster recovery pitfalls in VMware and Linux: Rejecting default settings Make IT change management part of your disaster recovery plan Data center disaster recovery planning Research Managing data center outsourcing services and vendors Data center outsourcing best practices and pitfalls to avoid IT services consolidation: Data centers weigh risks Big IT shops look to rent data center facilities IT managers offer tips on cutting data center costs Data centers deal with the fallout of mergers and acquisitions FBI raids Dallas data center colocation company Texas Memory Systems increases solid-state disk capacity: News in brief CRG West preps data centers for cloud computing customers Data center panel weighs cloud computing risks, rewards Disaster recovery strategies: Should you outsource, manage in-house or partner? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Business Continuity and Disaster Recovery (BCDR)  (SearchStorage.com) high availability  (SearchDataCenter.com) RAIN  (SearchDataCenter.com) uninterruptible power supply  (SearchDataCenter.com) Uptime Institute, Inc.  (SearchDataCenter.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.