id-ra-10 high Identify / Risk Assessment

Critical suppliers are assessed prior to acquisition

Bringing a new critical supplier into your environment is a risk event that deserves the same scrutiny you would apply to any significant architectural decision. A supplier with weak security practices can become your breach vector. Assessing them before signing means you negotiate from a position of information rather than discovering problems after you are already dependent on them.

Estimated effort: 6h

supply-chainvendor-assessmentprocurementthird-party-riskdue-diligence

Complete first: id-ra-9

Implementation steps

1

Define which suppliers require pre-acquisition assessment

Not every vendor needs a full security assessment before you sign up. Define the threshold: any vendor with access to customer data, any vendor with production system access, any vendor providing security-critical services, and any vendor processing payment data. Below that threshold, a lighter review (DPA review and basic questionnaire) is sufficient.
2

Conduct pre-acquisition security assessments

For suppliers meeting the threshold, send a security questionnaire covering: access controls, encryption practices, vulnerability management, incident response, data retention and deletion, and third-party assessments they have undergone. For critical suppliers, request a recent SOC 2 Type II report, ISO 27001 certificate, or equivalent. Review responses critically, not just for completeness.

whisticpanoraysonetrustservicenow
3

Make the assessment outcome a condition of procurement approval

Security assessment results should be a required input to procurement decisions for in-scope suppliers. A failing assessment can result in: rejection of the vendor, requirement to remediate specific gaps before contract signing, or acceptance with documented compensating controls and risk sign-off by the appropriate authority.

jiraservicenow