The Control Room: ISO 27001 Control Spotlight: 5.19 – Information Security in Supplier Relationships
There is a special kind of silence that happens when someone asks: “Where is the evidence for that control?”
And the answer is: “Sarah used to handle that.”
Not “it’s in the system.” Not “the owner can pull that up.” Not “we can export that from the platform.”
Just: “Sarah used to handle that.”
Wonderful. Very mature. Extremely reassuring.
This is one of the most common compliance problems we see, and it is also one of the most avoidable.
A business thinks it has a compliance program. It might even have policies, a risk register and supplier records. It passed an audit at some point. It may even have a folder structure that made sense to someone in 2022. Then the compliance manager resigns or retires, and the whole thing starts to wobble.
Suddenly, no one knows where the latest policy is. No one can explain why a control is marked as implemented. No one knows which supplier reviews were completed. No one can find the access review evidence. The risk register is “somewhere in SharePoint”. That is not a compliance program. It’s a hostage situation featuring a resignation letter.
The program was not in the business. It was in someone’s head.
Every organisation has employees like these…They are capable, helpful, organised and quietly carrying half the company’s operational memory. They know which spreadsheet is the real one. They know which version of which policy went to the auditor. They know which risks are genuine, which ones need work, and which ones were politely massaged into shape before the last audit.
Because they are good at their job, the business mistakes their personal competence for organisational maturity. That, right there, is the trap.
A good person can hold a messy system together for a while. Sometimes for years. But that does not mean the system works. It means the business has built a critical dependency on one person’s memory, habits and goodwill.
Then that person resigns. Or goes on holiday. Or gets promoted. Or burns out. Suddenly, the organisation discovers that its compliance program was not embedded. It was remembered.
“Ask Sarah” is not an operating model
There is nothing wrong with having experienced people who understand your compliance program. You need them. The problem is when the organisation cannot operate without them.
If the answer to basic compliance questions is always “ask Sarah”, “ask James”, “ask IT” or “I think finance has that”, you do not have a management system. You have a treasure hunt. A real compliance program should be able to answer simple questions without panic:
- Where is the current policy?
- Who owns this control?
- When was it last reviewed?
- What evidence supports it?
- Which risk does it relate to?
- Which supplier is involved?
- What actions are overdue?
- What changed since the last audit?
The spreadsheet is usually part of the problem
Let’s be fair. Spreadsheets are useful. They help people get started. They are flexible, familiar and quick. But they are also where compliance programs quietly become unmanageable.
A spreadsheet does not know when a review is overdue. It does not automatically link evidence to a control. It does not tell you whether a supplier touches sensitive data. It does not preserve the logic behind a risk decision unless someone writes it down properly. It does not stop someone from creating three competing versions called “final”, “final updated” and “final updated real”.
It also does not solve the key-person problem. In many organisations, the spreadsheet is not the system. The person who understands the spreadsheet is the system. If that person leaves, all context and meaning leaves with them. All you’re left with are rows, columns and a vague sense of dread.
Audits expose weak systems
Audits are very good at revealing whether your compliance program is actually operating or whether it has just been kept presentable. A weak system can survive during normal business conditions because everyone knows who to ask. But during an audit, customer review, investor diligence process or incident response, the cracks appear quickly.
The auditor asks for evidence. The customer asks how supplier risk is managed. The board asks whether the risks are current. An investor asks whether policies are reviewed. A regulator asks who owns the process.
If every answer requires a meeting, a folder search, a Slack message and a prayer, the system is not working.
This also presents issues for business continuity, risk management and governance.
If one person leaving can materially weaken your compliance program, then that person was a critical control. And, it’s unlikely they were listed in your risk register.
What a proper system should do
A proper compliance system does not eliminate the need for good people. It makes their work visible, repeatable and resilient. It should mean:
- policies are current, owned and reviewed
- risks have real owners
- controls are linked to the risks they manage
- evidence is attached to the relevant control, task or requirement
- supplier reviews are visible and scheduled
- assurance activities recur without someone manually remembering them
- actions and treatment plans are tracked
- management can see what is current, overdue or at risk
- audit preparation is not a reconstruction exercise
This is the difference between a compliance program that survives staff turnover and one that collapses because the wrong person took another job.
Compliance needs to be business as usual
A lot of organisations still treat compliance as something that happens around the audit. The audit is coming, so policies get reviewed. Evidence gets collected. Risks get updated. Supplier reviews get chased. Then the audit happens, everyone exhales, and the compliance program goes quiet until it’s time for the next audit.
When compliance only comes alive before an audit, it depends too heavily on whoever is driving that audit process. If that person leaves, the program loses momentum, context and memory.
A better approach is to make compliance part of the normal operating rhythm of the business. Small tasks. Clear owners. Recurring reviews. Linked evidence. Live registers. Visible actions. Management reporting. Supplier oversight. Policy updates. Risk reviews.
It might not be glamorous or dramatic, but it works.
How de.iterate helps
At de.iterate, we believe compliance should live in a proper system, not inside someone’s head. Our platform helps organisations bring the moving parts of compliance together in one place, including risks, controls, policies, evidence, suppliers, assets, assurance tasks, and audit packs.
Instead of relying on spreadsheets, folders, inboxes and individual memory, de.iterate helps create a connected management system that can be operated, reviewed and improved over time.
The knowledge stays in the business. The evidence stays linked. The tasks stay visible. The controls stay owned. The audit trail stays intact. Your compliance manager is supported by a system that makes the program stronger, not trapped inside a process that only works because they remember everything.
Need help getting your compliance program out of someone’s head?
de.iterate helps organisations connect risks, controls, policies, evidence, suppliers and assurance activities into one practical management system. So compliance becomes something the business can run, maintain and prove, rather than something one person has to remember.
Book a demo to see how it works.
Tags:
