ELI5: What is Vendor Assessment?
Before you let someone babysit your little sister, your parents check their references and make sure they’re trustworthy. A vendor assessment is how companies check that an outside partner has good enough security before sharing sensitive data with them.
Definition
Vendor assessment (also called third-party risk assessment or vendor due diligence) is the process of evaluating a vendor’s security posture before entering a business relationship and on a recurring basis thereafter. Assessment methods include security questionnaires (such as the Standardized Information Gathering — SIG — questionnaire), review of SOC 2 reports, ISO 27001 certificates, penetration test results, and on-site audits for high-criticality vendors. The assessment scope should be commensurate with the risk the vendor poses to the organization.
Key Details
- Risk-tier vendors based on data sensitivity and criticality: high-risk vendors (handle PHI, PII, or financial data) warrant more rigorous assessment
- Common assessment tools: SIG questionnaire (Shared Assessments), VSAQ (Google Vendor Security Assessment Questionnaire), CSA CAIQ for cloud vendors
- SOC 2 Type II reports provide the most comprehensive third-party assurance without a direct audit
- Vendor assessments should be conducted: before onboarding, annually thereafter, and after significant vendor security incidents
- Exam tip: vendor assessment = due diligence before and during vendor relationships; right-to-audit = contractual mechanism to verify; SOC 2 = the report produced
Connections
- Parent: third-party-risk — vendor assessment is the primary risk evaluation activity in third-party risk management
- See also: soc-reports
- See also: right-to-audit