Do you review and approve material sub-processors (vendor of your vendor) before they handle your data?
Demonstrate that the organization identifies, evaluates, and formally approves all material sub-processors prior to those entities gaining access to organizational data through primary vendor relationships.
Description
What this control does
This control requires organizations to establish and enforce a formal review and approval process for material sub-processors—third parties engaged by primary vendors to handle, store, or process organizational data. Before a vendor may onboard a sub-processor with access to sensitive or regulated data, the organization must assess the sub-processor's security posture, data handling practices, compliance status, and alignment with contractual obligations. This prevents unauthorized data flows to unknown entities and ensures the organization maintains visibility and control over its data throughout the supply chain.
Control objective
What auditing this proves
Demonstrate that the organization identifies, evaluates, and formally approves all material sub-processors prior to those entities gaining access to organizational data through primary vendor relationships.
Associated risks
Risks this control addresses
- Unauthorized data transfer to sub-processors in jurisdictions with weak privacy protections or adverse legal frameworks
- Introduction of sub-processors with inadequate security controls, leading to data breaches or unauthorized access
- Non-compliance with data protection regulations (GDPR, CCPA, HIPAA) due to unapproved cross-border data flows or processor chains
- Loss of contractual protections and liability assignments when sub-processors operate outside the scope of negotiated agreements
- Supply chain attacks exploiting vulnerabilities in unvetted sub-processors to pivot into the organization's environment
- Data integrity or availability failures when sub-processors lack disaster recovery, backup, or redundancy capabilities
- Reputational damage and regulatory penalties from incidents involving unknown or inadequately controlled sub-processors
Testing procedure
How an auditor verifies this control
- Obtain the organization's third-party risk management policy and identify the documented sub-processor review and approval procedure.
- Request a complete inventory of primary vendors authorized to handle organizational data, including contract execution dates and data classification levels.
- For each primary vendor in scope, request disclosed lists of material sub-processors, including sub-processor names, locations, and services provided.
- Select a sample of at least five material sub-processors and retrieve approval records, risk assessments, and supporting due diligence documentation.
- Review each sampled sub-processor approval for evidence of security assessment, data flow analysis, jurisdiction review, and documented decision by appropriate authority.
- Verify that sub-processor approvals occurred prior to data processing commencement by comparing approval dates with contract effective dates or service logs.
- Interview procurement and legal personnel to confirm the process for vendor notification requirements when sub-processors are added or changed.
- Test one recent sub-processor change event by tracing the notification, review, and approval workflow from vendor disclosure through final authorization.