Do you maintain a complete inventory of third parties that access, process, or store your data?
Demonstrate that the organization maintains a complete, accurate, and current inventory of all third parties with access to, processing capability for, or storage of organizational data, including sufficient detail to support vendor risk assessment and incident response activities.
Description
What this control does
This control requires the organization to maintain a current, comprehensive inventory of all third-party vendors, service providers, contractors, and partners who have access to, process, transmit, or store organizational data. The inventory should include identifying details such as vendor name, data categories handled, access methods, system touchpoints, and classification of data exposure. Maintaining this inventory enables risk-based vendor management, informs incident response scoping, supports compliance reporting, and ensures accountability throughout the supply chain.
Control objective
What auditing this proves
Demonstrate that the organization maintains a complete, accurate, and current inventory of all third parties with access to, processing capability for, or storage of organizational data, including sufficient detail to support vendor risk assessment and incident response activities.
Associated risks
Risks this control addresses
- Unidentified third-party data breach or compromise goes undetected because the organization lacks awareness of the vendor relationship and cannot assess impact
- Unauthorized data sharing or exfiltration occurs through undocumented third-party connections that bypass security controls and monitoring
- Inadequate contractual protections and audit rights exist with vendors whose relationships were never formally cataloged or reviewed
- Incident response and forensic investigation efforts are delayed or incomplete due to lack of visibility into third-party data flows and access pathways
- Regulatory non-compliance and penalties result from inability to demonstrate knowledge and oversight of entities handling regulated data
- Orphaned vendor access credentials and integrations persist after contract termination because the relationship was not tracked in a centralized inventory
- Supply chain attacks propagate undetected through undocumented third-party access points that lack monitoring and threat intelligence coverage
Testing procedure
How an auditor verifies this control
- Obtain the organization's official third-party inventory document, database export, or system report that purports to list all vendors with data access, processing, or storage capabilities
- Review the inventory schema to verify it captures essential attributes including vendor name, contact information, data types handled, data classification levels, access methods, system integrations, contract dates, and assigned risk ratings
- Select a sample of recent vendor contracts, statements of work, and data processing agreements from legal and procurement systems to cross-reference against the inventory
- Identify any vendors in the sampled contracts that are absent from the inventory and document discrepancies with specific vendor names and contract references
- Interview system owners and application managers for critical systems to identify third-party service providers, API integrations, cloud services, and data processors supporting those systems
- Review firewall rules, VPN access logs, API gateway configurations, and cloud service provider connection logs to identify external entities with network or system access
- Compare the list of entities discovered through technical review and interviews against the inventory to identify undocumented third parties with data access
- Examine the inventory maintenance process including update frequency, ownership assignment, data sources, and validation procedures to assess completeness and currency controls