Do you use a continuous security-rating service (BitSight, SecurityScorecard, UpGuard) for Tier 1 vendors?
Demonstrate that the organization continuously monitors the external security posture of Tier 1 vendors using an automated security rating platform, and that findings inform risk management decisions.
Description
What this control does
This control requires the organization to subscribe to and actively utilize a third-party continuous security rating service (such as BitSight, SecurityScorecard, UpGuard, or similar) to monitor the cybersecurity posture of Tier 1 vendors—those critical to business operations or handling sensitive data. These services aggregate external threat intelligence, scan for vulnerabilities, analyze public-facing infrastructure, and provide dynamic risk scores based on observable security behaviors. Continuous monitoring enables real-time detection of vendor security degradation, breach indicators, or configuration weaknesses that may not surface during point-in-time assessments, thereby supporting proactive third-party risk management.
Control objective
What auditing this proves
Demonstrate that the organization continuously monitors the external security posture of Tier 1 vendors using an automated security rating platform, and that findings inform risk management decisions.
Associated risks
Risks this control addresses
- Tier 1 vendor compromise goes undetected between annual assessments, allowing attackers to pivot into the organization's environment through trusted integrations
- Vendors suffer security degradation (e.g., expired certificates, exposed databases, malware infections) without triggering contractual breach notifications or remediation workflows
- Supply chain attacks leverage vendor infrastructure weaknesses not visible through self-assessments or questionnaires alone
- Inadequate visibility into vendor patching cadence and vulnerability management practices increases the attack surface inherited from third parties
- Public-facing vendor assets experience misconfigurations, data leaks, or exposed credentials that create immediate exploitation pathways
- Lack of real-time vendor security intelligence prevents timely incident response coordination when vendors are actively compromised
- Tier 1 vendor selection and retention decisions rely on outdated point-in-time data rather than current security performance trends
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's Tier 1 vendor inventory, including vendor names, criticality classifications, and data access privileges.
- Verify active subscription to at least one continuous security rating service by requesting account access credentials, license documentation, or platform screenshots showing current subscription status.
- Log into the security rating platform and confirm that all identified Tier 1 vendors are enrolled for continuous monitoring, capturing screenshots of the monitored vendor portfolio.
- Select a sample of 5-10 Tier 1 vendors and review their current security ratings, historical score trends, and identified security issues within the platform.
- Request documentation of thresholds, policies, or procedures that define how security rating alerts trigger vendor risk reviews, remediation requests, or escalation workflows.
- Interview vendor risk management personnel to understand how security rating data integrates into vendor onboarding, periodic reviews, contract renewals, and incident response protocols.
- Review evidence of at least three instances within the past 12 months where security rating findings led to documented vendor engagement, remediation tracking, or risk acceptance decisions.
- Validate that security ratings are refreshed at intervals consistent with the service's capabilities (daily, weekly, or continuously) by examining timestamp metadata for monitored vendors.