TPM-01—Third-Party Assurance Review
>Control Description
Theme
Type
Policy/Standard
Vendor Information Security Policy>Implementation Guidance
1. Ensure there is a documented procurement policy and information security standard which consists information that includes but not limited to third-party assurance reviews. 2. Ensure a formal questionnaire is prepared, which will be used for assessing third-party risks during the onboarding process. 3. Ensure there is an action plan for control gaps identified at the time of vendor security review for their third-party controls.
>Testing Procedure
1. Inspect Organization Procurement Policy and Vendor Information Security Standard to determine whether requirements for third-party assurance reviews are defined. 2. Observe Organization Risk Assessment system to determine whether a questionnaire for systematically assessing third-party risks is defined. 3. For a sample of vendors, inspect whether the corresponding Vendor Security Review (VSR) is completed to determine whether management has assessed the third party's controls to determine Organization requirements are met and management took action on control gaps as applicable.
>Audit Artifacts
>Framework Mappings
Cross-framework mappings provided by Adobe CCF Open Source under Creative Commons License.
Ask AI
Configure your API key to use AI features.