Compliance requirements

Your organisation and its employees must uphold many forms of compliance. You probably need to comply with relevant legislation (e.g. GDPR), one or more certifications (e.g. ISO 22301), maybe sustainability commitments (e.g. The SDGs from the UN) and any other internal or external standards.

As third parties play an essential part in your compliance environment, the platform contains an advanced requirement module to facilitate all your internal and external compliance needs. No matter the type, scope or industry.

Concept

Within the 3rdRisk platform, you can manage (almost) all internal- and external requirements throughout your entire internal organisation and supply chain. You do not longer need a separate solution for that.

High-level concept of the 3rdRisk requirements module

1. Identify

First, you need to know to which compliance requirements you have to adhere, whereby you have to take into consideration:

  1. The requirements that you have to adhere to (including the different types, see table below)
  2. The requirements that you are enforcing to your third parties
SourceTypeExplanationExamples
InternalOrganisation requirementCompliance rules and standards do not exclusively come from outside your organisation, you can also set internal standards and rules.Your standard operating procedures.
ExternalSustainability requirementSustainability criteria are requirements for a product's sustainable quality and production, which must be fulfilled to acquire a sustainability status or certification.SDGs, Rain Forrest Alliance, Fair Trade.
 Compliance attestation / certificationA certificate or attestation of compliance is a document that states the fulfilment of a given requirement. It is a formal certification/attestation that declares that an organisation met a set of conditions.ISO 9001, PCI-DSS, SOC2.
 Regulatory requirementEvery organisation needs to follow the rules and standards set for its industry. These rules are usually defined by government legislation or by proxy via government agencies.GDPR, HIPAA.
 Ecosystem requirementWithin most ecosystems, especially critical industries, it is essential that consistent standards, policies and processes are applied to a complete supply chain.The Airbus framework, Unilever Responsible Business Partner Policy.
 Stakeholder requirements / expectationIf you have entered into formal contracts with customers or another third party, the clauses of those contracts can also become requirements that you must adhere to. But this can also relate to expectations from specific interest groups, customers or your employees.Contracts, specific interest group manifests.

Start simple
The best practice is to start with a limited set of requirements and first understand the platform. You can always add and update the requirements at a later stage. You can even do this after a couple of years of usage, as we know every organisation will change over time.

2. Register

After you have (partly) identified all the applicable requirements, you can easily register them in the 3rdRisk platform.

Within the requirements module of 3rdRisk, you can:

  1. Search and adopt known International requirements (e.g. GDPR, ISO 27001, ISO 9001, Privacy Shield etc.) - See the complete available list
  2. Easily register all other internal and external requirements.
  3. Define your compliance requirements.

Scope
The organisation model defines the different scopes of an organisation's internal and external requirements.

Example

Example organisation with two requirements

Requirements scope
In the provided example, we have a Finance department that needs to adhere to the SSAE18 (SOC1) and an IT department to the ISO 27001:2013.

Applicability
You can define the applicability per requirement. Is it, e.g. only applicable for a specific process, product, location or service?

Stakeholders and interested parties

Per requirement, you can define the relevant internal and external parties:

  • Publisher of the requirement (e.g. ISO, US Congress)
  • Internal requirement owner
  • Internal requirement manager / SME
  • Involved risk officer
  • Other interested parties can be specific interest groups, local regulators, specific clients, and industry groups.

Third-parties & contracts
Understanding which third parties are fulfilling a role in your compliance landscape is critical. When a third-party or contract is added to the platform, the platform will automatically list the applicable requirements and allows you to deselect the ones that are not applicable easily.

Requirements and third-parties
By defining a requirement within your organisation model, the platform will know when a third party might be within the scope of one or more requirements.

Example organisation with an ISO 27001 requirement (scope = blue coloured)

Associate relevant requirements with a new third-party or newly added contract. In the example, two third parties with three contracts are active within the ISO 27001 scope. When a new contract is added at the security team level/node, the platform will automatically propose registering this contract within the ISO 27001 scope.

3. Monitor & respond

During the life cycle of a requirement, you can monitor the third parties in scope by performing periodic assessments. Per requirement, you can define specific assessment templates, e.g. per type of service, geographical location, and language.

Assessment template per requirement

Per requirement, you can link multiple questionnaire templates.

One requirement can have multiple questionnaire templates.

You can upload your assessment templates or download one from the 3rdRisk platform store.

Performing an assessment
When initiating an assessment for a third party, the system will automatically list the applicable requirements, and you can easily include the relevant questionnaires in your assessment.

4. Reporting

The platform provides advanced and dynamic dashboard capabilities, providing you with continuous and real-time insights into your compliance landscape.

Add a requirement

To create a new requirement within the platform:

  1. Navigate to: Left side menu: Requirements
  2. Click on [+ Add requirement]
  3. Provide the required details:
FieldKnown requirement on the 3rdRisk platformExplanation
Name *x

Name of the requirement.
The platform will initially search the 3rdRisk store for known requirements:

If the requirement is already known on the platform (requirements listed with the green 3rdRisk logo - in the above example: ISO/IEC 27001), you can easily click on the provided entry, and the platform will auto-fill the specific details (see the second column).

You can reset the search by clicking on the blue reset icon.

We strongly encourage organisations to avoid creating new requirements when a requirement is already known on the platform. This is primarily for the accuracy of the central database and related questionnaires available on the platform. 

When a requirement is not yet known in the 3rdRisk platform, you can easily add a new requirement record by clicking on [+ Add requirement as new requirement].

Added to the platform byxThis read-only field is only visible when you are adding a known requirement.

This field provides the name of the organisation that added this requirement to the platform.
Description *xThis field is read-only when you are adding a known requirement.

Free-format text box to provide some additional context for this requirement
Type *xThis field is read-only when you are adding a known requirement.

Dropdown field with the different requirement types (table requirement types)
Publisher *xThis field is read-only when you are adding a known requirement.

The organisation or author that published this requirement.
Requirement scope * 

With your organisation model, you define the scope of this requirement:

You can select one or multiple elements/nodes in your organisation model. To deselect, select the element again.

Requirement applicability Explanatory field to define the applicability of this requirement. Define if it is, e.g. applicable for a particular type of product, service or geographical location.
Interested parties Define the involved, interested parties, e.g. governments, industry groups, and NGOs.
Requirement manager * This colleague provides day-to-day support and implementation advice related to this requirement.
Requirement owner From a management perspective, the colleague is end-responsible for this requirement's timely and effective implementation.
Risk officer * The responsible risk officer for this requirement.

Only platform users with risk officer or risk manager roles can be selected.
Tags The tags-functionality can assign specific/internal labels to a requirement. You can search, filter, and create specific reports based on these tags.

E.g. if you want to register all stakeholder requirements that are also part of your ISO 27001 ISMS, you can add a tag named “ISMS” to these requirements. At a later stage, you can effortlessly search and export all stakeholder needs & expectations for your auditors.

Use the tab key on your keyboard to add multiple tags.
Add to your 3rdRisk organisation profile * If this is a requirement that your clients and partners can also leverage, you can easily add this requirement to your 3rdRisk organisation profile.

We will add the following fields: requirement name, requirement description, requirement type, publisher and scope and applicability.
Discoverable * If this is a general requirement or an ecosystem requirement, you can easily add this requirement to the 3rdRisk platform so also other organisations can search and adopt these in their requirements module.

We will add the following fields: requirement name, description, type, and publisher.

Required field *

4. Click on [Add requirement], and the requirement is added to your requirement catalogue.

Update a requirement

To update a requirement on the platform:

  1. Navigate to: Left side menu: Compliance
  2. Search for the applicable compliance requirement you would like to update
  3. Click on the sub-menu in the 'Actions column' and click 'Edit requirement'
  4. Update the requirement and click on [Edit requirement].

Remove a requirement

To remove a requirement on the platform:

  1. Navigate to: Left side menu: Compliance
  2. Search for the applicable compliance requirement you would like to remove
  3. Click on the sub-menu in the 'Actions column' and click 'Edit requirement'
  4. Click on the red coloured [Delete].

Known module limitations

  • You cannot add your compliance types - please register any ideas at support@3rdRisk.com.
  • The 3rdRisk organisation profile is not yet implemented and available - but choices you will make, e.g. by selecting that you want specific requirements to be published on your profile, are stored and processed when the profile functionality is available.