Vendor Management

Third-party vendors extend your security perimeter. Managing vendor risk is essential for compliance.

Vendor Register

Maintain a register of:

• Service providers: Cloud platforms, SaaS applications, consultants
• Suppliers: Hardware and software vendors
• Partners: Business partners with data access
• Contractors: Temporary staff and outsourced teams

[Screenshot: Vendor Register] Placeholder: Vendor table with risk ratings and contract status

Vendor Assessment

For each vendor, document:

• Service scope: What the vendor provides
• Data access: What data they can access
• Risk level: Low, medium, high, critical
• Compliance status: Their certifications (SOC 2, ISO 27001, etc.)
• Contract details: Terms, renewal dates, SLAs

Risk-Based Approach

Focus assessment effort on high-risk vendors:

• Critical vendors: Those with access to sensitive data or critical systems
• High-volume data processors: Vendors handling large amounts of customer data
• Shared infrastructure: Cloud and hosting providers

[Screenshot: Vendor Risk Assessment] Placeholder: Vendor detail showing risk factors and assessment

Monitoring Vendors

Track vendor compliance:

• Request and review their security certifications
• Monitor for security incidents affecting the vendor
• Schedule periodic re-assessments
• Document vendor security reviews in audit trail

Linking Vendors

Connect vendors to:

• Controls: Which controls cover vendor management
• Risks: Third-party risks in your risk register
• Assets: Systems and data the vendor accesses
• Incidents: Security events involving the vendor

Next Steps

• Document vendor-related risks
• Link vendors to security incidents