Third-party vendors are required to meet minimum security standards
Your security posture is only as strong as the weakest vendor with access to your systems or data. Third-party breaches regularly expose customer data through SaaS tools, managed service providers, and software dependencies. Requiring vendors to meet minimum security standards does not guarantee they are secure, but it establishes accountability, provides a basis for remediation requests, and reduces your exposure to the weakest-link problem.
Implementation steps
- 1
Build a vendor inventory and tier vendors by risk
List all vendors that have access to your systems, data, or network. Tier them by risk: critical vendors handle sensitive data or have deep system access; standard vendors have limited exposure; low-risk vendors have no meaningful access. Your due diligence rigor should match the tier. Maintain this inventory and update it when new vendors are onboarded.
vanta drata secureframe whistic onspring - 2
Require security attestations or assessments for critical vendors
For critical vendors, require a SOC 2 Type II report, ISO 27001 certificate, or completion of a security questionnaire. Review the report for relevant exceptions. Set a cadence for re-assessment, typically annually. For new vendors, complete this review before granting access to production systems or sensitive data.
vanta whistic caiq shared-assessments drata - 3
Include security requirements in vendor contracts
Ensure vendor contracts include minimum security requirements: breach notification timelines, data handling obligations, subprocessor restrictions, and the right to audit. Work with legal to create standard security addendum language that is applied to all critical vendor agreements. Review contracts at renewal to ensure requirements are still adequate.
docusign ironclad legalesign confluence google-docs
Evidence required
Vendor inventory and assessment records
Evidence that vendors have been inventoried, tiered, and assessed against minimum security standards.
- - Vendor inventory with risk tier assignments
- - SOC 2 reports or security questionnaire responses from critical vendors
- - Vendor contract showing security requirements clause
Related controls
A cybersecurity policy is established, approved, and communicated
Governance and Training
All employees receive security awareness training at least annually
Governance and Training
Employees are trained to recognize and report phishing attempts
Governance and Training
Third-party software and services are inventoried and assessed for risk
Supply Chain