Link to home
Start Free TrialLog in
Avatar of Goraps
GorapsFlag for Canada

asked on

Vendor Control Assessment

Looking for guidence on how to answer the following questions.. We are a small / medium company.

  1. Does your company have a written information security program designed to protect the confidentiality, integrity and availability of our information?  If the answer is yes, please note in the adjacent box whether it is recognized by any professional certification such as ISO27001, PCI-DSS AOC, SOC Type II reports, and if so, which one(s).

  1. Does your company have established controls for assessing and ongoing oversight of the adequacy of your own partners’ / suppliers’ IT Security postures? (Note - Leaning on contractual language / provisions is not the same.)  

  1. Does your company have a formalized, documented Corporate Incident Response policy and a formalized Breach Notification process?  
  2. We do not ....what is the best way to write one up?
Avatar of kenfcamp
Flag of United States of America image

what is the best way to write one up?

The best way?
By contacting a lawyer who specializes in those types of agreements/contracts

This will maximize your protection, protect your partners and limit your exposure due to missed items and improper language
Avatar of btan

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial