Risks from suppliers are assessed, monitored, and responded to throughout the relationship
A vendor that passed their security review two years ago may look very different today. They may have had a breach, changed their architecture, been acquired, or let certifications lapse. Ongoing monitoring ensures that your understanding of vendor risk stays current rather than reflecting the state at the time of onboarding, which may no longer be accurate.
Implementation steps
- 1
Establish a recurring vendor review schedule based on risk tier
Critical vendors: annual full reassessment with questionnaire review and updated SOC 2 or equivalent. High-risk vendors: annual questionnaire review. Medium-risk vendors: biennial review. Set calendar reminders and assign owners for each review. Reviews should not slip because the reviewer forgot.
jiraservicenowgoogle-calendar - 2
Monitor for vendor security events between reviews
Subscribe to breach notification services or news feeds for your critical vendors. Use a security rating service to get alerts on significant changes to a vendor's security posture. When a vendor discloses a breach or a critical CVE affecting their product, do not wait for the next scheduled review.
securityscorecardbitsightrecorded-futurefeedly - 3
Track and respond to identified vendor risks
When a review or monitoring alert surfaces a risk, open a tracking item with the required remediation action: request a remediation plan from the vendor, add a compensating control on your side, accept the risk with documented rationale, or begin exit planning. Do not leave identified vendor risks untracked.
jiraservicenownotion
Evidence required
Ongoing vendor review records
Evidence that critical and high-risk vendors are reviewed on a scheduled basis after initial onboarding.
- · Annual vendor reassessment reports for critical suppliers
- · Calendar of completed vendor reviews with dates and outcomes
- · Vendor risk tracker showing last review date for each supplier
Vendor risk remediation tracking
Records showing that risks identified in vendor reviews were tracked to resolution or documented risk acceptance.
- · Open vendor risk items in the risk register or issue tracker
- · Vendor remediation plan received and tracked
- · Risk acceptance memo for a vendor risk that could not be immediately remediated
Related controls
A cybersecurity supply chain risk management program is established
Cybersecurity Supply Chain Risk Management
Suppliers are known and prioritized by criticality
Cybersecurity Supply Chain Risk Management
Due diligence is performed before entering into supplier relationships
Cybersecurity Supply Chain Risk Management
Supply chain security practices are monitored throughout the technology product and service life cycle
Cybersecurity Supply Chain Risk Management