Which Third Party Validation Methodology is Best for My Business?

February 10, 2022

It’s no secret that the more third parties added to your environment the more exposure to risk your company has. That’s why Gartner is reporting that by 2023, organizational spending on TPRM technologies to support due diligence and monitoring will increase by 50%.

Providing answers to security questionnaires is a form of self-assessment that provides the most basic level of assurance regarding a company’s security posture, while a third-party audit like a SOC 2 Type II or a certification like ISO 27001 is independently validated, thereby carrying more weight in an assessment. It’s important for companies to understand the spectrum of available validation and dedicate an appropriate level of validation to vendor assessments based on the criticality and inherent risk of that vendor’s product or service.

How much and what type of third-party validation your organization uses comes down to how much tolerance for risk you have, the specific use-case for the vendor’s product or service, and other factors. Regardless of the vendor, we see more organizations employing a variety of validation methods as they assess their vendors.

Ranking types assessment validation

As mentioned earlier in this post, there are a number of ways for you to validate the security posture of a vendor .All evaluations will start with completed questionnaires and other documentation provided by the vendor. You will then need to take into consideration things like your appetite for risk or your budget when determining what other data points you are needed to validate the vendor's responses. The following are listed in order of the value of the validation:

Self-attestation

Having vendors complete a questionnaire is a good place to start the assessment process, and for vendors that you consider to be low-risk, completing the questionnaire may be enough. However, for most vendors, you will need to do further validation.

 

2022 Vendor Security Trends_Cover

Read Our New eBook: 4 Vendor Security Trends Whistic is Watching in 2022

In this ebook, we’ll dig deeper into each of these topics and provide actionable ways you can incorporate them into your vendor security strategy going forward.

Download Now

 

Security Ratings

External, continuous validation contained in security ratings like RiskRecon, Bitsight, and Security Scorecard provide you with aggregate data of everything that’s known publicly about your  vendors by scanning web-facing assets. This data is valuable, but likely not as thorough enough.

Internal validation by vendor

Next, you can require the vendor to conduct control compliance self-validation using a tool like Drata, Vanta, or Whistic and provide a time stamped report that shows control compliance data as evidence.

Independent audit or certification

One of the best and most common methods for validating a vendor’s security compliance is via a third-party audit like a SOC 2 Type II or an ISO 27001 Certification provided by the vendor.

Third-party risk assessment

If you feel the need to go above and beyond, when validating vendor assessments, you can hire a third-party assessor like PwC to conduct an assessment of your vendors. This validation method is more costly than the others, but it is very effective at helping identify risk associated with your vendors.

Internal, continuous validation

Finally, you can utilize tools like Vanta or Drata to automatically and continuously validate control compliance of your vendors.

 

Learn more

To learn more about 2022 vendor security trends according to Whistic, download our latest ebook and be on the lookout for our next blog post that will dig into the importance of standardizing how security information is shared.

vendor risk management standards vendor assessment cloud security vendor security review vendor security management

About the author

Whistic
Whistic

The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.

Close