VNDR- 2 Vendor Risk Assessment

What is this control about?

For every vendor, partner, supplier that your organization deals with, it is good hygiene and a compliance requirement to assess the risk of working with that vendor before exchanging any confidential data.  As part of this analysis, determining the criticality of the vendor based on the type of data that will be shared is important.

Each organization can determine the depth of the review.

Typically, the depth of the review will depend on the criticality of the vendor. If sensitive data is to be shared and stored with the vendor, an extensive review should be performed. But if the vendor is not accessing any sensitive data and is used for basic administrative functions, the review can be reduced. This judgment is at each company’s discretion.

The only caveat is to document the rationale in the vendor management policy.

Available tools in the marketplace

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• Vendor Due Diligence available template

Control implementation

Implement a formal and repeatable review process for your vendors. The review format is up to each company, however, at the minimum, the review should include the following key elements:

• Financial review to assess the financials and ensure that potential vendors are financially solvent
• Media and press releases to assess any legal risks
• Security risks to assess any cybersecurity glaring issues

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action:

• Provide the vendor due diligence performed for the newest vendor added

Evidence example

From the suggested action above, an example is provided below.

• Vendor due diligence available template

No screenshot deemed necessary, as template provided serves as artifact example