Do you collect and review certifications (ISO 27001, SOC 2, PCI DSS) before onboarding Tier 1 vendors?
Demonstrate that the organization systematically collects, reviews, and validates security certifications from Tier 1 vendors before onboarding, ensuring third-party security posture meets defined risk thresholds prior to granting access or service commencement.
Description
What this control does
This control establishes a vendor risk management process requiring collection and review of relevant security certifications (ISO 27001, SOC 2, PCI DSS) prior to engaging Tier 1 vendors—those with access to critical systems, sensitive data, or who provide mission-critical services. The organization maintains a centralized repository of vendor certifications, verifies their validity, currency, and scope alignment with the vendor's service delivery, and documents approval decisions before contract execution. This proactive due diligence reduces third-party risk exposure by validating that high-impact vendors maintain independently audited security controls commensurate with the organization's risk appetite.
Control objective
What auditing this proves
Demonstrate that the organization systematically collects, reviews, and validates security certifications from Tier 1 vendors before onboarding, ensuring third-party security posture meets defined risk thresholds prior to granting access or service commencement.
Associated risks
Risks this control addresses
- Onboarding vendors with insufficient security controls who subsequently suffer data breaches exposing the organization's sensitive data or customer information
- Failure to detect fraudulent, expired, or out-of-scope certifications leading to false assurance about vendor security posture
- Supply chain attacks exploiting weak security practices at third-party vendors who lack validated security programs
- Regulatory non-compliance when vendors handling regulated data (payment card, healthcare, personal data) lack required certifications such as PCI DSS
- Reputational damage and customer trust erosion following security incidents at uncertified vendors performing critical business functions
- Contractual liability and financial loss when vendor security failures violate service level agreements or data protection obligations
- Inadequate vendor security monitoring and accountability resulting from lack of baseline security standards established during onboarding
Testing procedure
How an auditor verifies this control
- Obtain the organization's vendor classification policy and confirm the definition of 'Tier 1' vendors including criteria such as data access level, system criticality, and business impact.
- Request the complete vendor inventory and filter for all Tier 1 vendors onboarded within the audit period.
- Select a representative sample of Tier 1 vendors (minimum 10 or 100% if fewer than 10) ensuring coverage across different service categories and data access types.
- For each sampled vendor, retrieve the vendor onboarding package including certification documentation, review notes, approval records, and onboarding date timestamps.
- Verify that certifications (ISO 27001, SOC 2 Type II, PCI DSS as applicable) were collected prior to the vendor's onboarding date and were valid (not expired) at time of onboarding.
- Examine documented evidence of certification review including verification of issuing body authenticity, scope alignment with services provided, and any noted exceptions or risk acceptances.
- Validate that formal approval was documented by authorized personnel (vendor risk committee, CISO, or designated authority) before contract execution or system access was granted.
- Test one instance where a vendor lacked appropriate certifications to confirm the process includes risk escalation, compensating controls documentation, or onboarding rejection procedures.