cc9-2 High priority Security / Risk Mitigation

Third-party vendor risk is assessed and managed

Your security posture is only as strong as the vendors and partners you rely on. Data breaches frequently originate from third-party providers who have access to your environment or data. This criterion requires that vendor risk is formally assessed before onboarding new vendors and reviewed periodically, particularly for vendors with access to sensitive data or critical systems.

10h estimated effort

vendor-risk third-party supply-chain subprocessors

Complete first: cc3-2

Implementation steps

1

Maintain a vendor inventory with risk classification

Create a list of all vendors and subprocessors that have access to customer data or that provide critical infrastructure for your service. Classify each by risk: high (direct access to customer data or production systems), medium (business systems with indirect access), low (no access to sensitive data). Focus security review effort on high-risk vendors.

notion google-sheets confluence vanta
2

Conduct security assessments for high-risk vendors

Before onboarding a high-risk vendor, review their security posture: do they have a SOC 2 report, ISO 27001 certification, or similar? Review their security questionnaire responses. Understand what data they will have access to and under what conditions. Establish contractual requirements: data processing agreements, breach notification timelines, and security obligations.

vanta whistic secureframe google-docs
3

Review high-risk vendor compliance annually

Vendor security posture changes over time. For high-risk vendors, collect and review their SOC 2 report or equivalent annually. Verify that they still meet your requirements. Update your vendor risk register with the review date and findings. Establish a process to handle vendor notification of security incidents.

notion google-sheets vanta