Second-Party Audits: How to Assess Your Suppliers and Service Providers Yourself
Second-party audit explained: when to assess suppliers and processors yourself, how the process works, and why it secures your supply chain against risk.
In short
A second-party audit is an assessment in which a customer checks its own supplier or service provider, either directly or through an appointed auditor. It does not result in an ISO certificate but in robust evidence and confidence for the customer. The methodology comes from ISO 19011:2026, while the audit criteria come from ISO/IEC 27001 and ISO/IEC 42001.
Auf Deutsch lesen: deutsche Fassung
A customer sends you a supplier questionnaire with 80 questions on information security. You pass it straight on to your own cloud provider. What comes back is a PDF with tidy checkmarks and a logo. The question no one asks in that moment: is any of it actually true? This is precisely where the topic of the second-party audit begins.
The three types of audit in one sentence
Anyone who wants a say in auditing needs to keep three terms cleanly apart. They differ not in methodology, but in who audits and whom.
- First-party audit (internal audit): you audit yourself. Your own organisation checks whether its own management system works.
- Second-party audit: you audit another party with whom you have a business relationship. The customer checks its own supplier or service provider, either directly or through an appointed auditor.
- Third-party audit: an independent, accredited certification body audits and, in the end, issues the certificate.
Important for context: a second-party audit does NOT lead to an ISO certificate. It leads to something else that is often more valuable in day-to-day business, namely robust evidence and confidence for exactly the party that carries the risk: you.
What a second-party audit actually is
Imagine you hand off part of your value creation: you have data hosted externally, you buy in an AI component, you outsource your accounting. The moment someone else works for you, their risk becomes your risk. The second-party audit is the tool with which you make that external risk visible before it becomes yours.
You define what matters to you, verify it on site or remotely against evidence, and end up with a realistic picture instead of a self-declaration. That is the decisive difference from a questionnaire: in an audit you verify rather than believe.
A questionnaire tells you what a provider claims about itself. An audit shows you what it actually does.
Why you should actively audit your supply chain
The most common misconception: "My provider has a certificate, so I'm covered." A certificate says that a defined scope was assessed at some point. Whether that scope covers precisely the service you are buying is another matter entirely. A second-party audit closes this gap because it focuses on exactly your use case.
The second reason is liability. When something goes wrong at your processor, it is usually you who has to answer to your own customers. Those who know their chain do not carry the blame blindly for others' mistakes and can, if it comes to it, demonstrate that they selected and monitored carefully.
The third reason is simply the market. Large customers today demand evidence across the entire chain. Those who have their own suppliers under control do not stumble on the customer questionnaire; they score with it.
The legal framework: GDPR Article 28 as a duty of care
As soon as personal data is involved, the GDPR sets a clear direction. Under Article 28, a controller may only use processors that provide "sufficient guarantees" of appropriate technical and organisational measures. This is a duty of selection and care: you should form a picture before you entrust anyone with your data.
To avoid any misunderstanding: the law does not strictly mandate a formal supplier audit. It does, however, require you to assess the suitability of your provider and keep it under review. In practice, an audit is the strongest means of demonstrating and testing precisely this due diligence, voluntary but effective. This is context, not legal advice; the concrete assessment in an individual case belongs in the hands of qualified lawyers.
Why this topic is gaining weight right now
On 11 November 2025, Germany's Federal Court of Justice ruled in a widely noted case (ref. VI ZR 396/24) concerning a data breach. Important and often misreported: the court did not convict anyone. It referred the matter back to the lower court, the Higher Regional Court. So there is no final judgment, but a sharpening of the standards.
That sharpening carries real weight: the mere loss of control over one's own personal data can constitute compensable non-material damage within the meaning of Article 82 GDPR, without any concrete misuse having to be proven. The order of magnitude per affected person is small, in the low three-figure euro range. With many affected individuals, however, that adds up quickly.
The lesson for the topic is sober and positive at once: due diligence in selecting and monitoring providers that process personal data is gaining in importance. This is no reason to panic, but a good occasion to get your own supply chain confidently under control before anyone else asks about it.
Those who know their supply chain steer their risk. Those who do not know it carry it anyway.
Which standard supplies the audit criteria?
An audit needs two things: a procedure and a benchmark. International standards supply both, and both can be used even without any intention to certify.
- ISO 19011:2026 is the guideline for auditing management systems. It describes how to audit professionally, from planning through collecting evidence to the report. It explicitly applies to second-party audits as well.
- ISO/IEC 27001 supplies the substantive audit criteria for information security. Against it you measure whether a provider protects your data appropriately.
- ISO/IEC 42001 supplies the criteria for an AI management system. Against it you check whether a supplier that uses AI for you, or supplies it, governs that AI responsibly and traceably.
The appeal here: you do not have to reinvent the wheel. The standards hand you a proven checklist that your supplier cannot wriggle past, and that is fair and transparent for them because it is publicly available to read.
How a second-party audit works in practice
A good supplier audit is not a spot check based on gut feeling, but a structured procedure. As a rule it runs in five steps and can usually be done in one to two days, on site or remotely.
- Define the scope: which service, which data, which AI systems are we auditing? Precision pays off here.
- Choose the criteria: which requirements from ISO 27001, ISO 42001 or the contract set the benchmark?
- Collect and verify evidence: documents, systems, interviews. Do not believe, have it substantiated.
- Formulate findings: what fits, what does not, where is action needed?
- Report and follow-up: a clear result that you, as the customer, can use for your decision and your documentation.
You can do this yourself if you have the competence in house, or entrust an independent appointed auditor with it. Both are second-party audits. The only difference from an internal audit is that it is not your own system being assessed, but someone else's.
Supplier audit as a competitive advantage, not bureaucracy
I rarely experience second-party audits as a tiresome obligation and almost always as a gain in insight for both sides. The customer gains certainty about what it is buying. The audited provider gains an honest outside view and often concrete pointers that make it better. A check turns into a better business relationship.
These are exactly the kind of independent second-party audits I offer: as a customer audit of your suppliers and service providers, with ISO 27001 and ISO 42001 as the benchmark and ISO 19011 as the methodology. The result is not a certificate, but something that helps you more in day-to-day business: clarity about whether you can rely on your chain.
Frequently asked questions
What is the difference between first-, second- and third-party audits?+
In a first-party audit, an organisation audits itself (internal audit). In a second-party audit, a customer audits its supplier or service provider, either directly or through an appointed auditor. In a third-party audit, an independent, accredited certification body audits and issues the certificate. Only the third-party audit leads to an ISO certificate.
Does the GDPR strictly mandate a supplier audit?+
No. Under Article 28, the GDPR requires a controller to use only processors that provide sufficient guarantees of appropriate technical and organisational measures. This is a duty of selection and care. A formal audit is not legally mandatory, but in practice it is the strongest means of testing and demonstrating this due diligence. This is context, not legal advice.
Does a second-party audit give me an ISO certificate?+
No. A second-party audit does not lead to a certificate. It leads to robust evidence and confidence for the customer. A certificate can be issued exclusively by an independent, accredited certification body as part of a third-party audit.
Which standards do I need for a supplier audit?+
ISO 19011 supplies the audit methodology and explicitly applies to second-party audits as well. The substantive audit criteria come, depending on the topic, from ISO/IEC 27001 (information security) or ISO/IEC 42001 (AI management system). Together they give you a proven procedure and a transparent benchmark.
Author & expert review: Lars Zimmermann · ISO/IEC 42001 Senior Lead Auditor & Senior Lead Implementer · ISO/IEC 27001 Lead Auditor & Lead Implementer (PECB)
Last updated: 16 July 2026. Researched and reviewed to the best of our knowledge; not a substitute for individual legal advice.
Sources & further reading
Questions about your own case?
In a free 15-minute intro call we assess where you stand on ISO 42001, ISO 27001 and the EU AI Act, honestly and without a sales pitch.