We help IT Professionals succeed at work.

Vendor Control Assessment

Goraps asked
High Priority
Last Modified: 2020-02-28
Looking for guidence on how to answer the following questions.. We are a small / medium company.

  1. Does your company have a written information security program designed to protect the confidentiality, integrity and availability of our information?  If the answer is yes, please note in the adjacent box whether it is recognized by any professional certification such as ISO27001, PCI-DSS AOC, SOC Type II reports, and if so, which one(s).

  1. Does your company have established controls for assessing and ongoing oversight of the adequacy of your own partners’ / suppliers’ IT Security postures? (Note - Leaning on contractual language / provisions is not the same.)  

  1. Does your company have a formalized, documented Corporate Incident Response policy and a formalized Breach Notification process?  
  2. We do not ....what is the best way to write one up?
Watch Question


what is the best way to write one up?

The best way?
By contacting a lawyer who specializes in those types of agreements/contracts

This will maximize your protection, protect your partners and limit your exposure due to missed items and improper language
Exec Consultant
Distinguished Expert 2019

1. This expect that you have a IT security policy and it has been audited or proven to follow standards listed. SOC 2 type 2 attest a point time independent audit conducted against set of trusted services to demonstrate the claims of ensuring the CIA triad and privacy. If you have no policy to start with then this is the first step to get the security governance regime going. CIS has categorised various critical controls from basic to foundation and eventually organisation. You should target to achieve all but as SME achieve for small wins with the basic and get the regime going and progress on to foundation to put in technical controls. And plan in long term the organisation piece. You need a team of IT security folks or at least one who you can entrust as CISO.



2. The CIS control of administration privileges, data protection, on the need to basis access and account and log monitoring of use activity are applicable. One reference you can consider is the NIST  SP800-171


3. Incident handling and breach declaration will resonate with SME in reference to the guidance from NIST SP800-61 and EE article




Data Breach Response: A Guide for Business – addresses the steps to take once a breach has occurred
Federal Trade Commission

Recovering from a Cybersecurity Incident – geared towards small manufacturers; presentation about best practices that use the Incident Response Lifecycle to provide guidance on recovering from and preventing cybersecurity incidents
Manufacturing Extension Partnership