SR-2 / SR-3 / SR-6 / CA-2 / SA-9 / A.5.19 / A.5.20 / A.5.21 / CIS-15.1 / CIS-15.2 NIST SP 800-53 Rev 5 NIST CSF

Do you have a third-party / supply-chain risk management programme (assessments, monitoring, contractual controls)?

Demonstrate that the organization has implemented a documented, repeatable process to assess, monitor, and contractually enforce cybersecurity requirements across all third-party relationships that involve access to systems, data, or critical services.

Description

What this control does

A third-party and supply-chain risk management programme systematically identifies, assesses, and monitors cybersecurity risks introduced by vendors, suppliers, service providers, and business partners who access organizational systems, handle sensitive data, or deliver critical services. The programme combines pre-engagement due diligence (security assessments, questionnaires, audits), contractual safeguards (security requirements, right-to-audit clauses, breach notification terms), and ongoing monitoring (periodic reassessments, security posture tracking, incident response coordination). This control is critical because third parties extend the attack surface beyond the organization's direct control, and compromises at vendors have been the root cause of major breaches including SolarWinds, Target, and numerous ransomware incidents.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Unauthorized access to organizational data or systems through compromised third-party credentials or insufficiently secured vendor environments
Supply-chain attacks where threat actors infiltrate software updates, hardware components, or services delivered by trusted vendors to inject malware or backdoors
Data exfiltration or exposure when third parties fail to implement adequate encryption, access controls, or data handling practices required by contract or regulation
Service disruptions or ransomware propagation from third-party infrastructure failures or security incidents that cascade into organizational operations
Regulatory penalties and breach notification obligations triggered by third-party subprocessors or vendors who violate GDPR, HIPAA, PCI-DSS, or other compliance requirements
Intellectual property theft or competitive intelligence loss through vendors with inadequate confidentiality controls or insider threat programmes
Inability to detect or respond to security incidents due to lack of visibility into third-party logging, monitoring, or incident response capabilities

Testing procedure

How an auditor verifies this control

Obtain and review the organization's third-party risk management policy, procedures, and any supporting frameworks or methodologies (e.g., vendor risk tiering, assessment workflows).
Request a current inventory of all third parties with system access, data processing roles, or critical service delivery responsibilities, including classification by risk tier or criticality level.
Select a representative sample of third-party relationships across different risk tiers (minimum 5-7 vendors including at least one high-risk vendor) for detailed examination.
Verify that pre-engagement security assessments were completed for sampled vendors by reviewing security questionnaires, audit reports (SOC 2, ISO 27001 certificates), penetration test results, or due diligence documentation with dates and responsible parties.
Examine executed contracts or master service agreements for sampled third parties to confirm presence of security requirements, data protection clauses, breach notification timelines, right-to-audit provisions, and incident response coordination obligations.
Review evidence of ongoing monitoring activities such as periodic reassessments, security scorecard reports, vulnerability scan results shared by vendors, or quarterly business reviews that include security posture discussions.
Interview personnel responsible for third-party risk management to validate the operational implementation of documented processes, escalation procedures for identified risks, and remediation tracking mechanisms.
Test a recent example where a third-party security issue was identified (through assessment, monitoring, or incident) and trace the response workflow including risk acceptance documentation, remediation requests, or vendor off-boarding decisions.

Evidence required Artefacts collected include the third-party risk management policy and procedure documents, the complete vendor inventory with risk classifications and last assessment dates, pre-engagement security assessment reports or completed questionnaires for sampled vendors, executed contracts containing specific security and data protection clauses, evidence of ongoing monitoring activities such as automated security scorecards or scheduled reassessment calendars, and remediation tracking records or risk acceptance forms for identified third-party security gaps. Additional evidence includes interview notes with vendor management personnel, screenshots of vendor risk management platforms or tracking systems, and incident response documentation for any third-party-related security events in the past 12 months.

Pass criteria The control passes if the organization maintains a documented third-party risk management programme with evidence of pre-engagement security assessments, contractual security controls, and ongoing monitoring for all sampled third-party relationships, and can demonstrate operational execution through current inventories, completed assessments within defined timeframes, and documented responses to identified third-party risks.