VEN-01: Third-Party Risk Assessment
Objective
Manage security risks from third-party relationships.
Description
Vendors with access to systems or data undergo security assessment. High-risk vendors complete security questionnaire. Security requirements are included in vendor contracts.
Implementation Details
Vendor Classification: Vendors classified by risk level based on data access and criticality. High-risk vendors require detailed assessment.
Security Questionnaire: High-risk vendors complete security questionnaire (SIG Lite or custom). Review responses for red flags.
Contract Requirements: Vendor contracts include security requirements, audit rights, data handling obligations, breach notification.
Annual Review: High-risk vendor security posture reviewed annually. Request updated documentation (SOC 2, ISO 27001, pentests).
Examples
- AWS, GitHub, Okta classified as high-risk, annual SOC 2 reports reviewed
- New payment processor completed security questionnaire, passed review
- Vendor contracts include 72-hour breach notification requirement
- Annual vendor security reviews completed Q1 2024 for all high-risk vendors
Audit Evidence
- Vendor risk assessment procedure
- Vendor inventory with risk classifications
- Completed security questionnaires
- Vendor SOC 2 / ISO 27001 reports
Framework Mapping
SOC 2
- CC9.2 ^[Vendor risk assessment evaluates subservice organizations’ controls relevant to security objectives]
GDPR
- Article 28 ^[Vendor assessment ensures processors provide sufficient guarantees of appropriate technical and organizational measures]
Referenced By
This section is automatically generated by make generate-backlinks. Do not edit manually.
Processes:
- Vendor Risk Assessment Process ^[8-step vendor assessment: request, screening, questionnaire, risk analysis, legal review, technical review, approval, ongoing monitoring]
Charter: