Managed Services / Third-Party Risk
Your supply chain is
part of your attack surface.
A vendor's security failure becomes your incident. Supply chain compromises now account for a significant proportion of major breaches affecting Australian organisations — and regulators including APRA are increasingly focused on whether organisations can demonstrate they've assessed and managed the risk their suppliers carry on their behalf.
What we deliver
Supplier risk managed continuously, not episodically.
Most organisations approach third-party risk reactively — assessing a vendor when onboarding, then not again until something goes wrong. Cliffside runs a structured, ongoing programme that keeps your supplier register current, your assessments up to date, and your risk tiering accurate as your supplier base evolves.
A structured inventory of your suppliers, classified by criticality, data access, and risk potential. Tiering determines assessment frequency and depth — ensuring your highest-risk suppliers receive proportionate scrutiny without overwhelming the programme with low-risk vendors.
Structured security questionnaires dispatched and managed on your behalf — covering controls, certifications, incident history, subprocessor relationships, and contractual security obligations. We chase responses, evaluate answers, and flag gaps.
Review of supplier-provided evidence — ISO 27001 certificates, SOC 2 reports, penetration test summaries, and policy documentation. We validate that evidence is current, scoped appropriately, and substantive rather than cosmetic.
Where gaps are identified, we work with you to determine the appropriate treatment — contractual remediation, compensating controls, or formal risk acceptance. Exceptions are documented, time-limited, and reviewed on schedule.
Continuous monitoring of your critical suppliers for publicly reported incidents, data breaches, and adverse events — so you're not relying on suppliers to self-disclose problems they may have reason to minimise.
Regular reporting on programme status — assessments completed, outstanding responses, open exceptions, and risk exposure by tier. Board and audit-ready output aligned to your regulatory obligations.
Risk tiering
Proportionate assessment for every supplier tier.
Not every supplier warrants the same level of scrutiny. A critical infrastructure provider with access to your core systems needs different treatment than a commodity SaaS tool used by two people. Our tiering model ensures effort is applied where risk is highest.
Suppliers with access to sensitive data, critical systems, or operational dependencies. Full questionnaire, evidence review, annual reassessment, and ongoing incident monitoring.
Suppliers with limited data access or non-critical system integration. Streamlined questionnaire, certificate review, biennial reassessment.
Commodity suppliers with no meaningful data access. Register entry, self-attestation, and exception-based review only.
Know what your
suppliers are carrying.
Start with a supplier register and risk tiering exercise. We'll give you a clear picture of your current third-party exposure and a roadmap for getting it under management.