Establish and Maintain a Service Provider Management Policy
Description
Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard.
Implementation Checklist
Tool Recommendations
Third-party risk management with automated vendor assessments, continuous monitoring, and risk scoring
ServiceNow · Enterprise subscription
Third-party risk management platform with vendor assessment automation, continuous monitoring, and compliance mapping
OneTrust · Enterprise subscription
Security ratings platform providing continuous monitoring of vendor cybersecurity posture with data-driven risk scoring
BitSight · Enterprise subscription
Cybersecurity ratings and third-party risk management platform with continuous monitoring and vendor assessment automation
SecurityScorecard · Enterprise subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Inconsistent Vendor Security Standards Across Departments
ConfidentialityDifferent business units apply varying and often inadequate security requirements to service providers because no unified management policy defines standards for vendor assessment, monitoring, and decommissioning.
High-Risk Provider Onboarded Without Security Evaluation
ConfidentialityA service provider handling sensitive regulated data is engaged without any security assessment because no policy exists that mandates evaluation criteria before onboarding vendors.
Vulnerabilities (When Safeguard Absent)
No Formal Service Provider Management Policy
Without a service provider management policy, there are no standardized requirements for classifying, assessing, monitoring, or decommissioning vendors, leading to inconsistent and often inadequate third-party risk management.
No Defined Lifecycle for Service Provider Relationships
Absence of a policy addressing the full vendor lifecycle means providers are onboarded without security requirements and remain active without periodic reassessment or proper offboarding.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Document | Current inventory or catalog documentation | Maintained continuously, reviewed quarterly |
| Document | Process/procedure documentation for identification activities | Reviewed annually |
| Technical | Asset/software inventory export with required fields populated | Exported quarterly for review |
| Record | Inventory review meeting minutes or sign-off | Per review cycle |
| Record | Third-party risk assessment reports and scorecards | Annually per vendor |
| Document | Vendor contracts with security requirements | Per contract cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |