Skip to content

Vendor Security Assessment SOP

Sub-procedure for Operate pillar managed services - Third-party security assessment

Service Pillar: Operate Service Category: Vendor Risk Management Parent SOP: VRM Program SOP Engagement Type: Assessment / Annual Review

Overview

Comprehensive security assessment of third-party vendors to evaluate their security posture, identify risks, and ensure they meet organizational security requirements. This procedure covers the assessment process from questionnaire distribution through findings remediation and risk acceptance decisions.

Scope

Pillar: Operate (Managed Services) Service Area: Vendor Risk Management - Assessment

In Scope

  • Security questionnaire assessment
  • Documentation review (SOC 2, ISO 27001, etc.)
  • Technical security evaluation
  • Subcontractor/fourth-party assessment
  • Finding identification and risk rating
  • Remediation tracking
  • Risk acceptance process

Out of Scope

  • Penetration testing of vendor systems
  • On-site audits (separate engagement)
  • Contract negotiation
  • Vendor selection/procurement decisions

Prerequisites

  • Vendor identified for assessment
  • Risk tier assigned (per VRM Program SOP)
  • Vendor contact information
  • Scope of services documented
  • Data classification for vendor access
  • Assessment timeline agreed
  • Security requirements documented

Procedure

Step 1: Assessment Scoping

Objective: Define assessment scope based on vendor risk tier

Tier-Based Assessment Scope: | Tier | Questionnaire | Documentation | Technical | Duration | |------|--------------|---------------|-----------|----------| | 1 | Full SIG/CAIQ | SOC 2, pen test, etc. | Architecture review | 3-4 weeks | | 2 | Standard SIG | SOC 2 or ISO | Network diagram | 2-3 weeks | | 3 | Abbreviated | Self-attestation | None | 1-2 weeks | | 4 | Basic only | N/A | None | <1 week |

Scoping Activities: 1. Confirm vendor risk tier 2. Identify data types accessed 3. Document system integration points 4. Determine regulatory requirements 5. Select appropriate questionnaire 6. Define documentation requirements 7. Set assessment timeline

Scope Documentation: - [ ] Vendor name and services - [ ] Data classification - [ ] Integration architecture - [ ] Applicable regulations - [ ] Assessment components - [ ] Key contacts - [ ] Timeline and milestones

Duration: 2-4 hours

Step 2: Questionnaire Distribution

Objective: Collect security posture information from vendor

Questionnaire Options: | Questionnaire | Use Case | Questions | |---------------|----------|-----------| | SIG Core | Tier 1-2, comprehensive | ~200-300 | | SIG Lite | Tier 2-3, streamlined | ~70-100 | | CAIQ | Cloud services | ~200+ | | Custom | Specific requirements | Variable | | Self-attestation | Tier 3-4, low risk | ~20-30 |

Distribution Process: 1. Prepare questionnaire with pre-filled context 2. Draft introduction email 3. Set response deadline (typically 2-3 weeks) 4. Provide vendor contact for questions 5. Send questionnaire 6. Track receipt confirmation 7. Send reminder at midpoint 8. Follow up on overdue responses

Questionnaire Domains: - [ ] Information Security Governance - [ ] Access Control - [ ] Data Protection - [ ] Network Security - [ ] Application Security - [ ] Incident Response - [ ] Business Continuity - [ ] Compliance - [ ] Subcontractor Management

Duration: 2-3 weeks vendor response time

Step 3: Documentation Review

Objective: Analyze vendor-provided security documentation

Documentation Types: | Document | Purpose | Tier Requirement | |----------|---------|------------------| | SOC 2 Type II | Controls attestation | Tier 1-2 | | ISO 27001 cert | ISMS certification | Tier 1-2 | | Penetration test | Vulnerability assessment | Tier 1 | | Security policy | Governance documentation | Tier 1-2 | | Network diagram | Architecture understanding | Tier 1-2 | | BC/DR plan | Resilience capability | Tier 1 | | Insurance cert | Risk transfer | Tier 1-2 |

SOC 2 Review Checklist: - [ ] Report covers relevant period - [ ] Trust service criteria appropriate - [ ] Review user entity responsibilities - [ ] Identify exceptions/findings - [ ] Assess complementary controls - [ ] Check subservice organization coverage

Documentation Red Flags: | Finding | Risk Level | Action | |---------|------------|--------| | No SOC 2/ISO cert | High | Require alternative evidence | | Qualified opinion | High | Review findings closely | | Gaps in coverage period | Medium | Request bridge letter | | Excluded systems | Medium | Assess if relevant | | Open findings | Variable | Assess remediation |

Duration: 4-8 hours

Step 4: Technical Assessment

Objective: Evaluate technical security controls (Tier 1 vendors)

Technical Review Components:

Architecture Review: - [ ] Network segmentation - [ ] Data flow mapping - [ ] Encryption in transit/at rest - [ ] Authentication mechanisms - [ ] API security - [ ] Integration security

Security Control Verification: - [ ] Endpoint protection - [ ] Logging and monitoring - [ ] Vulnerability management - [ ] Patch management - [ ] Access controls - [ ] Backup procedures

Cloud Security (if applicable): - [ ] Cloud provider certifications - [ ] Shared responsibility understanding - [ ] Configuration management - [ ] Identity management - [ ] Data residency

Duration: 4-8 hours (Tier 1 only)

Step 5: Finding Analysis and Risk Rating

Objective: Identify and prioritize security gaps

Finding Categories: | Category | Examples | |----------|----------| | Governance | Missing policies, no security team | | Access Control | No MFA, excessive permissions | | Data Protection | No encryption, weak DLP | | Technical | Unpatched systems, poor segmentation | | Operations | No monitoring, poor incident response | | Compliance | Missing certifications, audit findings |

Risk Rating Matrix: | Likelihood | Impact: Low | Impact: Medium | Impact: High | |------------|-------------|----------------|--------------| | High | Medium | High | Critical | | Medium | Low | Medium | High | | Low | Low | Low | Medium |

Finding Documentation: - [ ] Finding description - [ ] Evidence/source - [ ] Risk rating - [ ] Potential impact - [ ] Recommended remediation - [ ] Remediation timeline - [ ] Compensating controls

Duration: 4-8 hours

Step 6: Assessment Report and Risk Decision

Objective: Document findings and obtain risk decision

Assessment Report Sections: 1. Executive Summary 2. Vendor Overview 3. Scope and Methodology 4. Documentation Review Summary 5. Technical Assessment Summary 6. Findings and Recommendations 7. Risk Rating 8. Conclusion and Recommendation

Risk Decision Options: | Decision | Criteria | Action | |----------|----------|--------| | Approve | No critical/high findings | Proceed with relationship | | Conditional | High findings with remediation plan | Approve with conditions | | Accept Risk | High findings, business necessity | Document risk acceptance | | Reject | Critical findings, no mitigation | Do not engage/terminate |

Risk Acceptance Requirements: - [ ] Business justification documented - [ ] Compensating controls identified - [ ] Time-limited acceptance - [ ] Executive sponsor approval - [ ] Periodic reassessment scheduled

Duration: 4-6 hours

Step 7: Remediation Tracking

Objective: Monitor vendor remediation of identified findings

Remediation Process: 1. Share findings with vendor 2. Request remediation plan 3. Agree on timelines 4. Track remediation progress 5. Validate remediation evidence 6. Update finding status 7. Close assessment or escalate

Remediation Timelines: | Risk Level | Target Remediation | Escalation | |------------|-------------------|------------| | Critical | 30 days | Immediate if no plan | | High | 60 days | 30 days if no progress | | Medium | 90 days | 60 days if no progress | | Low | Next assessment | Track only |

Duration: Ongoing until remediation complete

Deliverables

Deliverable Format Owner
Completed Questionnaire Excel/GRC Vendor (reviewed by Analyst)
Documentation Analysis Word Technical Analyst
Technical Assessment Notes Word Lead Consultant
Finding Register Excel Technical Analyst
Vendor Assessment Report PDF/Word Lead Consultant
Risk Decision Memo Word Engagement Manager
Remediation Tracker Excel/GRC Technical Analyst

Quality Gates

  • Assessment scope documented and approved
  • Questionnaire fully completed by vendor
  • Documentation reviewed and analyzed
  • Technical assessment completed (if required)
  • Findings documented with risk ratings
  • Assessment report reviewed by senior consultant
  • Risk decision obtained and documented
  • Remediation plan agreed (if applicable)
  • Assessment recorded in vendor inventory

Last Updated: February 2026