VNDR-9 Vendor Monitoring

What is this control about?

Vendor Monitoring Control states that vendors must be classified according to the type of data being held. A good compliance hygiene and compliance requirement is to perform an annual review of the vendor to determine whether or not their risk level has changed and to identify any major changes that can affect the organization.

It is up to the organization to determine the criticality of the vendors and determine the ones that may require an annual review. The results must be documented within the vendor management policy.

Available tools in the marketplace

Tools:

No tool recommendation is made for this section.

Available templates

TrustCloud has a curated list of templates, internally or externally sourced, to help you get started. Click on the link for a downloadable version.

• Annual Vendor Monitoring template

Control implementation

To implement this control,

1. Take an inventory of all your vendors and classify them by criticality. The most critical vendors are those that house critical or sensitive data.
2. Define a monitoring process for all your vendors and assign a monitoring frequency. For example, you may decide to only monitor critical vendors annually.
3. Ensure your monitoring review includes the review of the vendor’s third-party assessment (i.e., SOC 2, ISO 27001, PCI, etc.). These third-party assessments must be reviewed to identify any potential security impacts.
4. Perform the review according to the process and frequency documented in your process.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

1. Provide the most recent monitoring review for a critical vendor.

Evidence example

For the suggested action, an example is provided below:

1. Provide the most recent monitoring review for a critical vendor.

The vendor monitoring template serves as an example.