VNDR-9 Vendor Monitoring

What is this control about?

Vendors must be classified according to the type of data being held. For any vendor assigned a high criticality rating, a good compliance hygiene and a compliance requirement is to perform an annual review of the vendor to determine whether or not their risk level did not change and to identify any major changes that could affect the organization.

It is up to each company to determine the criticality of the vendors and determine the ones that would require annual review. The results should be documented within the vendor management policy.

Available tools in the marketplace

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• Annual Vendor Monitoring template

Control implementation

Take an inventory of all your vendors and classify them by criticality. The most critical vendors are those housing critical or sensitive data.

Define a monitoring process for all your vendors and assign a monitoring frequency. For example, you may decide to only monitor critical vendors annually. Ensure your monitoring review includes the review of the vendor third-party assessment (i.e. SOC 2, ISO 27001, PCI, etc.). These third-party assessments must be reviewed to identify any potential security impact.

Perform the review according to the process and frequency documented in your process.

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action:

• Provide the most recent monitoring review for a critical vendor

Evidence example

From the suggested action above, an example is provided below.

1. Provide the most recent monitoring review for one critical vendor.

See vendor monitoring template

No screenshot deemed necessary, as template provided serves as artifact example