Assessing the Information Security of a Recovery Audit Provider

Assessing the Information Security of a Recovery Audit Provider

One of the first steps a company needs to consider when looking for a recovery audit provider is clearly defining and documenting the expectations of the provider. The expectations will be shaped by both the company’s industry and locations of operation. Some examples of such expectations include:

  • Confidentiality requirements
  • Breach notification procedures including timelines
  • What to do if the service ends
  • Return or destruction of data
  • Subcontractors usage rules
  • Liability allocation
  • Data residency


Once expectations are determined, the potential recovery audit provider needs to be evaluated to determine whether they can meet those expectations. This can take several forms such as security assessment questionnaires and/or independent audit reports, including SOC 2 audit or ISO 27001 certification. In addition to evaluating the provider, their competency to deliver the specified needs should also be measured. Many smaller players may not be able to dedicate full teams solely to data security. Companies need to look for certifications demonstrating competency and adequate security funding to ensure robust security operations are established. On certification in particular is the ISO 27001.


ISO 27001 Certification

The ISO 27001 certification demonstrates that an information security management system (ISMS) meets rigorous international standards for ensuring the confidentiality, integrity and availability of its systems and data. PRGX’s compliance with this standard exemplifies its commitment to protecting highly sensitive client data through repeatable, consistent processes, including data transmission, access controls and management of third parties.


ISO27001 is a risk-based framework. It is designed to ensure that risks are identified, and appropriate mitigating controls are implemented. It is not prescriptive – meaning it does not state for example that encryption is required or that backups should be performed every 24 hours. It does, however, require that appropriate controls be implemented to mitigate identified risks. For example, encryption may be a control selected to protect the risk of data breach if the data is sensitive; backups may be needed every four hours if more extensive transaction loss would be catastrophic to the business.


Want to learn more?

For more information, download the e-book The Importance of Data Privacy and Security Across Source-to-Pay or watch PRGX’s webinar: Evolution of Data Privacy and Security Across Source-to-Pay.

Share this post