Avatar of Goraps
Goraps
Flag for Canada asked on

Vendor Control Assessment

Looking for guidence on how to answer the following questions.. We are a small / medium company.

  1. Does your company have a written information security program designed to protect the confidentiality, integrity and availability of our information?  If the answer is yes, please note in the adjacent box whether it is recognized by any professional certification such as ISO27001, PCI-DSS AOC, SOC Type II reports, and if so, which one(s).

  1. Does your company have established controls for assessing and ongoing oversight of the adequacy of your own partners’ / suppliers’ IT Security postures? (Note - Leaning on contractual language / provisions is not the same.)  

  1. Does your company have a formalized, documented Corporate Incident Response policy and a formalized Breach Notification process?  
  2. We do not ....what is the best way to write one up?
ITIL* iso27001Security

Avatar of undefined
Last Comment
btan

8/22/2022 - Mon
kenfcamp

what is the best way to write one up?

The best way?
By contacting a lawyer who specializes in those types of agreements/contracts

This will maximize your protection, protect your partners and limit your exposure due to missed items and improper language
ASKER CERTIFIED SOLUTION
btan

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy