Establish and Maintain an Inventory of Service Providers
Description
Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard.
Implementation Checklist
Tool Recommendations
Third-party risk management with automated vendor assessments, continuous monitoring, and risk scoring
ServiceNow · Enterprise subscription
Third-party risk management platform with vendor assessment automation, continuous monitoring, and compliance mapping
OneTrust · Enterprise subscription
Security ratings platform providing continuous monitoring of vendor cybersecurity posture with data-driven risk scoring
BitSight · Enterprise subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Supply Chain Compromise via Unknown Service Provider
ConfidentialityA service provider with access to enterprise data is compromised, but the organization cannot assess impact or respond effectively because it has no inventory of which providers have access to what data.
Shadow IT Service Provider Operating Without Oversight
ConfidentialityA department independently contracts a cloud service provider that processes sensitive data, and the security team is unaware of the relationship because no centralized service provider inventory exists.
Orphaned Service Provider Access After Contract End
IntegrityA former service provider retains active access to enterprise systems months after the contract ended because no inventory tracks provider relationships or designated contacts responsible for lifecycle management.
Vulnerabilities (When Safeguard Absent)
No Centralized Inventory of Service Providers
Without a maintained inventory of all service providers, the organization has no visibility into which third parties have access to enterprise data, systems, or networks.
Untracked Service Provider Classifications and Contacts
Absence of service provider classification and designated contacts means the organization cannot quickly determine risk exposure or coordinate response when a provider experiences a security incident.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Document | Current inventory or catalog documentation | Maintained continuously, reviewed quarterly |
| Document | Process/procedure documentation for identification activities | Reviewed annually |
| Technical | Asset/software inventory export with required fields populated | Exported quarterly for review |
| Record | Inventory review meeting minutes or sign-off | Per review cycle |
| Record | Third-party risk assessment reports and scorecards | Annually per vendor |
| Document | Vendor contracts with security requirements | Per contract cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |