IG3

Assess Service Providers

Control Group: 15. Service Provider Management

Asset Type: N/A

Security Function: Identify

Description

Assess service providers consistent with the enterprise’s service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts.

Implementation Checklist

1

Document current state and create baseline inventory

2

Define data fields and attributes to track

3

Assign ownership and responsibilities

4

Establish review cadence and update procedures

5

Draft policy/procedure document

6

Obtain stakeholder review and approval

7

Communicate to affected personnel

8

Schedule periodic review and updates

9

Inventory all third-party service providers

10

Classify third parties by risk level

11

Conduct security assessments of critical vendors

12

Include security requirements in contracts

Tool Recommendations

ServiceNow Vendor Risk Management Gartner MQ Leader, IT Risk Management 2024

Third-party risk management with automated vendor assessments, continuous monitoring, and risk scoring

ServiceNow · Enterprise subscription

OneTrust Third-Party Risk Forrester Wave Leader, Privacy Management 2024

Third-party risk management platform with vendor assessment automation, continuous monitoring, and compliance mapping

OneTrust · Enterprise subscription

SecurityScorecard Forrester Wave Leader, Security Ratings 2024

Cybersecurity ratings and third-party risk management platform with continuous monitoring and vendor assessment automation

SecurityScorecard · Enterprise subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Engagement with Provider Having Inadequate Security Controls

Confidentiality

The organization entrusts sensitive data to a service provider with a weak security posture because no assessment was conducted, and the provider subsequently suffers a breach affecting enterprise data.

Provider Security Posture Degrades Over Contract Period

Integrity

A service provider that was initially compliant reduces security investments over the contract period, and the degradation goes unnoticed because no periodic reassessment is performed.

Vulnerabilities (When Safeguard Absent)

No Security Assessment of Service Providers

Without assessing service providers through SOC 2 reviews, questionnaires, or equivalent processes, the organization has no objective understanding of each provider's actual security capabilities and practices.

No Periodic Reassessment of Provider Security Posture

Absence of annual or contract-renewal reassessment means the organization relies on initial assessments that may no longer reflect the provider's current security state.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Document	Current inventory or catalog documentation	Maintained continuously, reviewed quarterly
Document	Process/procedure documentation for identification activities	Reviewed annually
Record	Third-party risk assessment reports and scorecards	Annually per vendor
Document	Vendor contracts with security requirements	Per contract cycle
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Third-Party Risk Management Policy

Control 15

Related Safeguards in Control 15

15.1 Establish and Maintain an Inventory of Service Providers

15.2 Establish and Maintain a Service Provider Management Policy

15.3 Classify Service Providers

15.4 Ensure Service Provider Contracts Include Security Requirements

15.6 Monitor Service Providers

15.7 Securely Decommission Service Providers