Vendor and third-party management involves assessing and managing external vendors and service providers to ensure that they meet the necessary cybersecurity standards and do not pose risks to the organisation’s security. This includes conducting regular audits, reviewing vendor security practices, and establishing clear contract clauses that enforce cybersecurity requirements. By effectively managing third-party relationships, organisations can mitigate the risk of data breaches and security incidents originating from external sources.

———————————————————————————————————

Level 1 Certification

———————————————————————————————————

Measure 6.1: Identify and Review Critical Third-Party Vendors

Does your enterprise identify and assess the third-party vendors that have access to your critical systems and data?
Example: List all external vendors with access to sensitive data or critical services and review their services to ensure they are necessary for your operations.

Measure 6.2: Assess Vendor Security Practices

Does your enterprise assess the security practices of third-party vendors before entering into contracts?
Example: Before onboarding a new vendor, ask for documentation on their security policies, including their data protection measures and incident response procedures.

Measure 6.3: Establish Basic Vendor Contracts with Security Clauses

Does your enterprise include basic security clauses in vendor contracts that require the vendor to meet certain cybersecurity standards?
Example: Include a clause in contracts that requires vendors to notify you in the event of a data breach and mandate that they comply with basic security protocols, such as encrypting sensitive data.

Measure 6.4: Perform Annual Vendor Risk Reviews

Does your enterprise review vendor security risks at least annually to ensure they continue to meet your security standards?
Example: Conduct a yearly review of your critical vendors, checking their compliance with security policies and reviewing any changes in their service or security protocols.

———————————————————————————————————

Level 2 Certificaton

To achieve Level 2: Level 1 must also be achieved.

———————————————————————————————————

Measure 6.5: Perform Security Audits on Key Vendors

Does your enterprise regularly audit third-party vendors that manage or access sensitive data to assess their security measures?
Example: Conduct an annual security audit on key vendors, requesting evidence of their security practices, including their latest security certifications like ISO 27001.

Measure 6.6: Implement Vendor Security Questionnaires

Does your enterprise use detailed security questionnaires to assess the security posture of potential vendors?
Example: Create a security questionnaire covering topics such as encryption, data access control, and incident management, and require potential vendors to complete this questionnaire before signing a contract.

Measure 6.7: Include Comprehensive Security Clauses in Contracts

oes your enterprise include comprehensive security clauses in contracts with third-party vendors that outline expectations around data security, privacy, and breach notification?
Example: Ensure that contracts stipulate the vendor’s responsibilities for data encryption, compliance with relevant data protection laws for example GDPR and a clear incident response plan in case of a breach.

Measure 6.8: Implement a Vendor Risk Management Programme

Does your enterprise have a formal vendor risk management programme in place that assesses and mitigates risks posed by third-party vendors?
Example: Use a risk management framework such as NIST to assess each vendor’s security posture, and regularly review and mitigate identified risks.

———————————————————————————————————

Level 3 Certificaton

To achieve Level 3: Level 2 and Level 1 must also be achieved.

———————————————————————————————————

Measure 6.9: Implement Ongoing Continuous Monitoring of Vendor Security

Does your enterprise monitor vendor security continuously, using automated tools to detect changes or issues that may impact the security of your systems or data?
Example: Implement continuous monitoring tools like CyberGRX or VendorRisk to assess your vendor’s security posture regularly and receive alerts if security standards change or if new risks are detected.

Measure 6.10: Enforce Incident Response Collaboration with Vendors

Does your enterprise ensure that your vendors have a defined and agreed-upon incident response plan that includes collaboration with your internal security team in the event of a security breach?
Example: Include detailed incident response protocols in contracts that ensure vendors notify you immediately in the event of a security incident and provide timely information regarding the breach’s impact.

Measure 6.11: Establish Formal Third-Party Risk Assessment Process

Does your enterprise have a formal process for conducting third-party risk assessments before, during, and after a vendor’s engagement with your organisation?
Example: Implement a formal risk assessment process that includes background checks, a security evaluation before onboarding, and a post-engagement review of vendor performance, compliance, and security metrics.

Measure 6.12: Maintain a Centralised Vendor Risk Register

Does your enterprise maintain a centralised register or database to track all third-party vendors, including risk profiles, security assessments, and contract details?
Example: Use a vendor management system (e.g., Aravo or LogicGate) to maintain a record of all vendor-related risk assessments, contract renewals, and performance audits, ensuring that security risks are documented and mitigated.

———————————————————————————————————