It’s no secret that the more third parties added to your environment the more exposure to risk your company has. That’s why Gartner is reporting that by 2023, organizational spending on TPRM technologies to support due diligence and monitoring will increase by 50%.
Providing answers to security questionnaires is a form of self-assessment that provides the most basic level of assurance regarding a company’s security posture, while a third-party audit like a SOC 2 Type II or a certification like ISO 27001 is independently validated, thereby carrying more weight in an assessment. It’s important for companies to understand the spectrum of available validation and dedicate an appropriate level of validation to vendor assessments based on the criticality and inherent risk of that vendor’s product or service.
How much and what type of third-party validation your organization uses comes down to how much tolerance for risk you have, the specific use-case for the vendor’s product or service, and other factors. Regardless of the vendor, we see more organizations employing a variety of validation methods as they assess their vendors.
Ranking types assessment validation
As mentioned earlier in this post, there are a number of ways for you to validate the security posture of a vendor .All evaluations will start with completed questionnaires and other documentation provided by the vendor. You will then need to take into consideration things like your appetite for risk or your budget when determining what other data points you are needed to validate the vendor's responses. The following are listed in order of the value of the validation:
Having vendors complete a questionnaire is a good place to start the assessment process, and for vendors that you consider to be low-risk, completing the questionnaire may be enough. However, for most vendors, you will need to do further validation.
Read Our New eBook: 4 Vendor Security Trends Whistic is Watching in 2022
In this ebook, we’ll dig deeper into each of these topics and provide actionable ways you can incorporate them into your vendor security strategy going forward.
External, continuous validation contained in security ratings like RiskRecon, Bitsight, and Security Scorecard provide you with aggregate data of everything that’s known publicly about your vendors by scanning web-facing assets. This data is valuable, but likely not as thorough enough.
Internal validation by vendor
Next, you can require the vendor to conduct control compliance self-validation using a tool like Drata, Vanta, or Whistic and provide a time stamped report that shows control compliance data as evidence.
Independent audit or certification
One of the best and most common methods for validating a vendor’s security compliance is via a third-party audit like a SOC 2 Type II or an ISO 27001 Certification provided by the vendor.
Third-party risk assessment
If you feel the need to go above and beyond, when validating vendor assessments, you can hire a third-party assessor like PwC to conduct an assessment of your vendors. This validation method is more costly than the others, but it is very effective at helping identify risk associated with your vendors.
Internal, continuous validation
To learn more about 2022 vendor security trends according to Whistic, download our latest ebook and be on the lookout for our next blog post that will dig into the importance of standardizing how security information is shared.