Skip to main content
← All controls
SA-9(7) / A.15.1.2 / CIS-15.3 NIST SP 800-53 Rev 5

Do you have a documented exit plan for Tier 1 vendors (data return, transition timeline, alternate provider)?

Demonstrate that documented exit plans exist for all Tier 1 vendors and include enforceable provisions for data return, defined transition timelines, and identified alternate providers to ensure business continuity during vendor termination scenarios.

Description

What this control does

This control requires documented exit plans for Tier 1 (critical/high-impact) vendors that specify data return procedures, transition timelines, and identification of alternate providers. Exit plans enable organizations to terminate vendor relationships without operational disruption, data loss, or vendor lock-in. These plans should address data extraction formats, service continuity during transition, knowledge transfer requirements, and pre-vetted replacement vendors to minimize downtime if a Tier 1 vendor becomes insolvent, breaches contract, or experiences a security incident.

Control objective

What auditing this proves

Demonstrate that documented exit plans exist for all Tier 1 vendors and include enforceable provisions for data return, defined transition timelines, and identified alternate providers to ensure business continuity during vendor termination scenarios.

Associated risks

Risks this control addresses

  • Vendor insolvency or sudden service termination leaves critical business functions without operational systems and no immediate replacement
  • Proprietary data formats or vendor-controlled encryption keys prevent data extraction, resulting in permanent loss of organizational data
  • Absence of alternate providers forces acceptance of unfavorable contract terms or prolonged service with a compromised or non-performing vendor
  • Extended transition timelines without interim continuity measures cause business disruption affecting customer commitments and revenue
  • Vendor refusal to return data in usable formats during contentious contract termination creates legal disputes and operational paralysis
  • Lack of documented procedures results in ad-hoc migration attempts that introduce data integrity issues or incomplete data transfer
  • Dependency on a single Tier 1 vendor without exit planning creates leveraged negotiation position for vendor during renewal cycles

Testing procedure

How an auditor verifies this control

  1. Obtain the current vendor classification matrix or Tier 1 vendor inventory identifying all vendors classified as critical or high-impact based on documented risk criteria
  2. Request exit plans or vendor termination procedures for each Tier 1 vendor from vendor management, procurement, or legal departments
  3. Review each exit plan document to verify it includes explicit data return provisions specifying data formats, delivery methods, timelines, and validation procedures
  4. Verify that each exit plan defines measurable transition timelines with phase gates, resource assignments, and maximum allowable transition durations
  5. Confirm that each exit plan identifies at least one alternate provider by name or describes market alternatives with capability assessment and selection criteria
  6. Select a sample of 3-5 Tier 1 vendor contracts and cross-reference contract termination clauses against documented exit plan provisions for consistency and enforceability
  7. Interview vendor management or business relationship owners for sampled vendors to assess their familiarity with exit plan contents and readiness to execute
  8. Verify that exit plans have defined review cycles and evidence of periodic updates reflecting changes in vendor services, business criticality, or market alternatives
Evidence required Collect vendor classification documentation identifying Tier 1 vendors and risk criteria; exit plan documents for each Tier 1 vendor containing data return procedures, transition timelines, and alternate provider identification; contract excerpts showing termination clauses and data return obligations; interview notes or attestations from vendor relationship owners; and evidence of exit plan review dates or change control records demonstrating periodic maintenance.
Pass criteria All identified Tier 1 vendors have documented exit plans that specify data return procedures with formats and timelines, define measurable transition timelines, and identify at least one alternate provider or documented selection approach, with evidence of periodic review within the past 12 months.