How to Create a Vendor Risk Management Checklist

vendor risk management checklist

Vendor risk management is top of everyone’s mind considering recent headline grabbing supply chain attacks, such as SolarWinds

But as more vendors enter your digital supply chain, keeping up with vendor adoption is tough. According to Accenture, 79 percent of businesses are adopting technologies faster than they can address related security issues.

For your organization to be truly protected against supply chain cyber risks, you must develop a robust vendor risk management (VRM) program. Start by creating a vendor risk management checklist that ensures you capture relevant information from your vendors during the onboarding process.

Here’s what to include:

1. Vendor risk assessment protocols

✔ Has a documented risk assessment policy and methodology that identifies and priorities digital assets.
✔ Has a vulnerability detection and management policy.
✔ Assesses and implements security controls based on emerging risks and threats.
✔ Assesses the likelihood of cyber threats and scenarios on a regular basis.
✔ Uses security questionnaires to assess risk in its own supply chain.

2. Vendor security protocols

✔ Has provided minimum requirements for network security, access controls (including remote access), and data security.
✔ Has documented practices for security hygiene, including software patching and configuration management.
✔ Conducts external and internal tests to identify vulnerabilities and attack vectors, including penetration testing—ask for the results of those tests.
✔ Continuously assesses the performance of security controls.
✔ Has documented security training plans for employees who handle and safeguard sensitive information.
✔ Has physical security procedures for offices and data centers, including visitor handling, access to premises, and surveillance. 

3. Vendor incident response plans

✔ Has a documented incident response plan outlining security breach management practices.
✔ Has established a business continuity and disaster recovery plan in the event of a cyber incident, including data recovery.
✔ Has a communication plan to notify customers of cyber incidents.

4. Vendor governance

✔ Has provided evidence of certifications including SOC reports, ISO 27001, or HiTrust. Each is considered an international standard for validating a cybersecurity program—internally and across third parties.
✔ Has presented proof of compliance with regulations such as HIPAA, PCI DSS, NERC CIP, FISMA, and more.
✔ Security practices adhere to security frameworks, including NIST and CIS Controls.
✔ Has provided documentation evidencing current cybersecurity insurance.
✔ Reviews security questionnaires, such as the Consensus Assessments Initiative Questionnaire (CAIQ & CAIQ Lite) for assessing cloud providers and the Standardized Information Gathering Questionnaire (SIG Core and SIG Lite). 

Continuously assess vendor risk, beyond the onboarding checklist

As your vendor portfolio expands, it’s critical that you find a way to manage vendor risk from procurement all the way through the entire vendor relationship—efficiently and at scale.

A scalable, end-to-end VRM program is one that continuously detects, monitors, and mitigates vendor risk. It goes beyond initial assessments, checklists, and due diligence to constantly reassess and act on vendor risk. Most importantly, it scales with business growth, managing thousands of vendors as effectively as it manages ten.

Bitsight VRM, which combines workflow automation with objective data about your vendors’ security postures, is key to this approach. With Bitsight VRM you have unparalleled visibility over the digital supply chain by measuring and continuously monitoring third-party security controls, ultimately aligning the program with your risk tolerance and organizational objectives.

Take a look at how Alameda Alliance for Health uses Bitsight VRM to conduct the entire vendor assessment and management process in one centralized location, improving efficiency across their VRM program.