Templates β€’

Functional

Annual vendor audit

Reduce risk by regularly assessing a vendor's products and services

Use this agenda for free
Functional
Clock30 mins

In today's organizations it is not uncommon to have dozens β€” even hundreds β€” of mission critical vendors supporting day to day operations. Taking time to reassess their risk and impact is important.

At Range we use Vanta to automate our compliance processes, including the tracking and monitoring of vendors. Here, Vanta's CEO Christina Cacioppo shares a template for an annual vendor review.

This template is designed to be used for a single, high-risk vendor. It is a working meeting where those responsible for vendor management work with the stakeholder responsible for the vendor to gather information and assess the risk.

Agenda

1. Roll call

Make note of the vendor you are assessing and who is attending the meeting.

2. Review actions

Review and resolve any actions from the last audit.

3. Overview

  • Has anything changed with how we use this vendor?
  • Has anything changed with how this vendor provides services?
  • Has the service been acceptable?
  • Have SLAs been maintained?

4. Past issues or concerns

Were there any issues with the vendor, for example SLA violations, breaches, incidents, etc.

Add topics to the agenda for deeper discussion.

5. Certification/Attestation

Gather evidence of SOC2, ISO27001, PCI AOC, HIPPAA, etc.

  • Are they current?
  • Do they cover the products and services we use?
  • Are there exceptions or qualifications in the report?

6. Data Inventory

What data is the vendor storing and/or processing?

  • What is their retention policy?
  • Does retention meet our requirements?
  • Can we manually request deletion?

7. Security questionnaire

Review responses to any security questionnaires we sent, determine if any follow up actions need to be taken.

8. Assessments

Review the Vendor Risk Assessment, Privacy Impact Assessment (PIA), Transfer Impact Assessment (TIA), if applicable.

9. Regulations

Are we/they compliant with regulations? (GDPR, CCPA, HIPAA, etc.)

10. Contracts

Do we have current contracts with appropriate language? (i.e. BAA/DPA/SCC)

11. Determination

  • Are we comfortable with any risks to our business from this vendor?
  • Are we comfortable with any risks to Data Subjects from this vendor?
  • Do we need to make any changes or implement additional controls?