Vendor assessment is mentioned in ISO 27001 under supplier relationship sector (item A.15.1 and A.15.2 in Annex A, page 19)
The goal of Vendor Assessment Program is assessing the security controls a.k.a safeguards surrounding your organization’s information in other vendors’ systems. These vendors may access, collect, use, process, store, transmit or destroy your information on your organization behalf or provide IT infrastructure components for your organization.
These vendors must show and support the implementation of appropriate controls in order to safeguard three mandatory elements of all infosec systems: Confidentiality, Integrity and finally Availability.
Vendor Assessment Program is a kind of internal program to make sure that your vendors operate in a dependable, acceptable and persistent way to comply with your organization’s policies and procedures on infosec and privacy. They should prove that they are consistent with the scope, type, classification, and sensitivity of your information.
The Vendor Assessment Program may satisfies different standard, best practices or regulations’ requirements such as PCI DSS, HIPAA, California Electronic Communications Privacy Act (CalECPA) and so on.
The assessment process may have the following steps:
- Meeting with vendors
- Review of scope of services and location of the vendor to check compliance with local regulations
- Identification and evaluation of the type of data which is involved
- Review of contracts, nondisclosure agreements and/or partnership agreements
- Ask the vendor to fill out data-gathering questionnaire to find the level of maturity of the security management system of the vendor
- Evaluation of data-gathering questionnaires and investigation to evaluate and assess the risk of partnership
- Detailed review of vendors security program i.e. policies, procedures, and standard documents (if needed)
- Monitor, review and audit the vendor (if needed) in order to check if they follow their written policies and procedures
- Report the observations and re-assess the risk