Do you check the security practices of vendors handling your data (basic questions, certifications)?
Demonstrate that the organization systematically assesses and documents the security practices of vendors handling organizational data through defined evaluation criteria, security questionnaires, and verification of relevant certifications prior to engagement and periodically thereafter.
Description
What this control does
This control ensures organizations evaluate the security posture of third-party vendors and service providers before and during engagement, particularly those handling sensitive organizational data. Evaluation typically includes questionnaires covering security practices, requests for security certifications (SOC 2, ISO 27001, etc.), and validation of documented security controls. The control mitigates supply chain risk by preventing data exposure through inadequately secured vendor environments and ensuring contractual security obligations align with organizational requirements.
Control objective
What auditing this proves
Demonstrate that the organization systematically assesses and documents the security practices of vendors handling organizational data through defined evaluation criteria, security questionnaires, and verification of relevant certifications prior to engagement and periodically thereafter.
Associated risks
Risks this control addresses
- Unauthorized access to sensitive organizational data through compromised vendor systems with inadequate access controls
- Data breach or exfiltration resulting from vendor security incidents due to unvetted or deficient security practices
- Non-compliance with regulatory requirements (GDPR, HIPAA, PCI DSS) caused by vendors lacking required security certifications or controls
- Loss of data integrity or availability when vendors lack backup, disaster recovery, or business continuity capabilities
- Intellectual property theft or competitive harm through vendors with poor data handling, classification, or disposal practices
- Reputational damage from security failures at vendors whose practices were never assessed before granting data access
- Inability to detect or respond to security incidents due to lack of vendor security monitoring, logging, or incident notification procedures
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's vendor security assessment policy and procedures, including criteria for selecting vendors that handle organizational data
- Request the inventory of all active vendors and service providers with access to organizational data, including classification of data types each vendor handles
- Select a representative sample of vendors across different risk tiers and data sensitivity levels for detailed examination
- For each sampled vendor, retrieve completed security questionnaires, assessment forms, or due diligence documentation completed during vendor onboarding
- Verify that security certifications claimed by vendors (SOC 2 Type II, ISO 27001, FedRAMP, etc.) are current, valid, and independently validated through examination of certification letters or reports
- Review vendor contracts and data processing agreements to confirm security requirements, audit rights, breach notification obligations, and liability terms are documented
- Validate that periodic reassessments occur for existing vendors by examining reassessment schedules, completed follow-up questionnaires, or annual certification reviews
- Interview procurement and vendor management personnel to confirm the process for escalating vendors who fail to meet security standards or refuse to provide required documentation