I was going through ISO 27001 and COBIT to understand the Third-Party (or vendors) Risk Management process in detail. And though both the frameworks provide enough guidance on ensuring the proper due diligence on the vendors, I could not find any material on what happens before the vendors are onboard – how does the Information Security team come into play, what does it mean to have the vendor risk assessment done, should I assess all the vendors who submit the RFP, or what actually is a RFP? Here’s an attempt to simplify the process:
Step 1: The business will see a need for an external vendor for any of the tasks that can’t be performed on-site or perhaps it’s easier to onboard a vendor rather than building those capabilities in-house.
Step 2: The business will ask for a Request for Information/Proposal (RFI/P) from the vendors. The RFI/P will have all the requirements of the business listed in the form of a questionnaire and the vendors are expected to fill the questionnaire to the best of their abilities. The questions must be aligned with the business process requirements.
Step 3: The RFPs are generally evaluated on a scale reflecting the ability of the vendor to fulfill the requirements. For e.g. the vendor is an ‘Excellent’ match on requirement 1 but is ‘Poor’ on requirement 2.
Step 4: Once the vendors are shortlisted, the business team will then come to the Information Security team to assess the vendors on the basis of their Information Security controls.
Step 5: The Information Security team will then perform a vendor risk assessment either via a workshop or will provide a questionnaire to the vendors to fill out their security controls. This questionnaire can be very detailed or limited depending on the criticality of the vendor – criticality being directly proportional to the number of questions.
Step 6: Once the filled questionnaire is received, the Information Security team will perform an assessment of the answers and identify any gaps in the controls and highlight the risk as Critical, High, Medium, Low.
Step 7: The Information Security team will then prepare a report detailing the control gaps with the vendors and submit it to the business and in some cases to the vendors as well.
At this point, it’s on the business to take the next steps – if the vendor is critical, the business may either accept the risk and still onboard the vendor OR ask the Information Security team to help the vendor close Critical/High risks and bring the overall risk to an acceptable level before onboarding.
What happens next? The guidance to maintain the supplier relationship is fairly documented in the ISO 27001 ‘Annex A.15: Supplier Relationships‘ or COBIT 5 ‘AP010 – Manage Suppliers‘ guidance.