Third-party app review process
Demonstrate that all third-party applications undergo documented security review and approval prior to integration with organizational systems or access to sensitive data.
Description
What this control does
A third-party app review process evaluates external applications before they are granted access to organizational systems, data, or APIs. This control involves formal vetting procedures to assess permissions requested, vendor security posture, data handling practices, and compliance with organizational policies. It prevents unauthorized data exposure and supply chain compromise by ensuring only vetted applications integrate with production environments.
Control objective
What auditing this proves
Demonstrate that all third-party applications undergo documented security review and approval prior to integration with organizational systems or access to sensitive data.
Associated risks
Risks this control addresses
- Malicious or compromised third-party applications exfiltrate sensitive organizational or customer data through overly permissive API access
- Applications with inadequate security controls introduce vulnerabilities exploitable by external attackers
- Lack of vendor due diligence results in integration with applications from financially unstable or non-compliant providers
- Third-party apps bypass data loss prevention controls by accessing data through API channels not covered by traditional DLP
- Excessive OAuth scopes or permissions grant third-party apps access beyond business necessity, violating least privilege
- Unauthorized shadow IT applications connect to corporate systems without security team visibility or control
- Applications failing to meet compliance requirements (GDPR, HIPAA, SOC 2) introduce regulatory violations through data sharing
Testing procedure
How an auditor verifies this control
- Obtain the formal third-party application review policy and approval workflow documentation, including criteria for security assessment and approval authority designation
- Retrieve a list of all third-party applications currently integrated with organizational systems, including SaaS integrations, API connections, and OAuth-authorized apps
- Select a representative sample of 10-15 applications spanning different risk tiers, data access levels, and integration types
- For each sampled application, review the approval documentation including security assessment forms, vendor questionnaires, risk rating, and formal approval records
- Verify that security reviews include evaluation of requested permissions, data handling practices, vendor security certifications, and alignment with organizational data classification policies
- Identify applications onboarded within the audit period and confirm pre-approval evidence exists with timestamps predating production integration or access grants
- Test access controls by reviewing OAuth scopes, API permissions, or integration configurations to confirm alignment with approved access levels documented in review records
- Interview application owners and security reviewers to validate the operational effectiveness of the review process and identify any bypass mechanisms or exceptions
Where this control is tested