Are Tier 1 vendors reassessed at least annually (refreshed questionnaire, updated certs, security ratings)?
Demonstrate that all Tier 1 vendors have been reassessed within the past 12 months through documented questionnaire updates, certification reviews, and security rating evaluations.
Description
What this control does
This control ensures that vendors classified as Tier 1 (highest risk or criticality) undergo a comprehensive annual reassessment of their security posture. The reassessment includes requesting updated security questionnaires, collecting current compliance certifications (SOC 2, ISO 27001, etc.), and reviewing third-party security ratings from platforms like SecurityScorecard or BitSight. This annual cycle ensures that the organization maintains current visibility into vendor risk as threat landscapes, vendor infrastructure, and compliance postures evolve over time.
Control objective
What auditing this proves
Demonstrate that all Tier 1 vendors have been reassessed within the past 12 months through documented questionnaire updates, certification reviews, and security rating evaluations.
Associated risks
Risks this control addresses
- A Tier 1 vendor experiences a material security degradation (breach, certification lapse, infrastructure decay) that goes undetected between initial assessment and subsequent annual cycles
- Vendor compliance certifications expire or are not renewed, invalidating contractual security obligations and creating regulatory exposure for the organization
- Changes in vendor ownership, merger activity, or subprocessor relationships introduce new supply chain risks that are not identified without periodic reassessment
- Security ratings decline due to externally observable vulnerabilities (exposed services, certificate issues, leaked credentials) without triggering vendor review
- Vendors misrepresent their security posture during initial onboarding, and the lack of annual verification allows persistent control gaps to remain unaddressed
- Regulatory requirements for periodic vendor due diligence (GDPR Article 28, PCI-DSS 12.8, HIPAA subcontractor oversight) are not satisfied, resulting in audit findings or enforcement actions
- Internal vendor risk tier classifications become stale as business relationships expand or contract, causing reassessment cycles to miss newly elevated vendors
Testing procedure
How an auditor verifies this control
- Obtain the current vendor inventory with tier classifications and identify all vendors designated as Tier 1 based on documented risk criteria
- Request the vendor risk management policy and procedure documents to confirm the defined reassessment frequency and required reassessment activities for Tier 1 vendors
- For each Tier 1 vendor, retrieve the initial assessment date and all subsequent reassessment records from the vendor risk management system or GRC platform
- Select a representative sample of Tier 1 vendors (minimum 10 or 100% if fewer than 10 exist) and collect evidence of the most recent reassessment performed
- Verify that each sampled vendor's reassessment package includes a refreshed security questionnaire completed within the last 12 months, comparing responses to prior submissions to identify material changes
- Review updated compliance certifications (SOC 2 Type II reports, ISO 27001 certificates, PCI-DSS AOCs) collected during reassessment and confirm they are current and cover relevant services
- Examine security rating reports or scorecards obtained from third-party platforms during the reassessment period and verify they have been reviewed by appropriate personnel
- Identify any Tier 1 vendors whose most recent reassessment occurred more than 12 months prior to the audit date and document exceptions with business justification or remediation plans