πŸ—‚οΈ Resources Open a Ticket

    Home

    3. Vendor Management & Third-Party Risk

    Third-Party IT Requirements & Contract Review Pack

    1. Purpose
    To ensure that all third-party contract agreements are reviewed for compliance with SOC 2 requirements, protecting the organization’s data, security, confidentiality, and legal interests.

    2. Scope
    This process applies to all third-party vendors, service providers, and partners that handle, process, store, or transmit organizational data.

    3. Roles & Responsibilities
    β€’ Procurement / Vendor Management: Coordinates contract review process.
    β€’ Legal / Compliance Team: Ensures legal obligations, liability, and regulatory compliance are met.
    β€’ IT Security Team: Reviews technical and security-related clauses.
    β€’ Executive Sponsor / Management: Approves final agreement before execution.


    4. Process Steps
    Department / Team Member fills in the β€œNew Vendor Request” form.
    • Vendor name
    • Vendor website
    • What is the business use case?
    • Is the vendor business critical?
    • What sort of data is processed?
    • What type of data is the vendor processing (e.g. personal data, protected health information)?
    • Is any of the data considered "special categories" of personal data as defined by GDPR?
    • Is the data anonymized or pseudonymized?
    • Does the vendor provide a Data Processing Agreement (DPA) or is HIPAA Business Associate Agreement (BAA) required?
    • Does the vendor process customer/company Data?
    • Does the vendor have access to our production infrastructure?
    • How will our company's staff/systems authenticate with this vendor?
    • Will the vendor be used for authentication or identity management?

    4.1 Vendor Review Steps


    Step 1 – Initial Review
    • ☐ Verify business purpose and scope of services.
    • ☐ Identify type of data vendor will handle (PII, PHI, financial, confidential).
    • ☐ Confirm vendor provides necessary security certifications (SOC 2, ISO 27001, etc.).
    • ☐ Confirm data retention and deletion policies align with SOC 2 principles
    • ☐ Review data backup and recovery procedures
    • ☐ Assess data segregation (multi-tenant environments, shared resources)
    • ☐ Ensure secure data disposal methods are defined

    If the vendor does not have any certifications, proceed to share a Security Questionnaire. (Vanta Template). The information for the security controls checklist below will be gathered from the questionnaire responses.

    A.. Security Controls

    • ☐ Confirm vendor has an Information Security Policy (review copy)*
    • ☐ Validate access control measures (least privilege, MFA, RBAC)*
    • ☐ Confirm data encryption (in transit and at rest)*
    • ☐ Assess network security (firewalls, IDS/IPS, patch management)*
    • ☐ Review incident response and breach notification procedures*
    • ☐ Evaluate physical security of vendor’s facilities and data centers*

    Step 2 – Contractual Clauses Review
    The legal team needs to review the contract and ensure these clauses are present.

    • ☐ Review Master Services Agreement (MSA) and Data Processing Agreement (DPA)
    • ☐ Ensure Confidentiality / Non-Disclosure Agreements are in place.
    • ☐ Confirm Data Protection & Privacy requirements align with SOC 2 principles.
    • ☐ Verify Right-to-Audit and compliance reporting clauses.
    • ☐ Validate Breach Notification Requirements (e.g., timeline for notification).
    • ☐ Review Data Retention & Destruction provisions.
    • ☐ Assess Liability, Indemnification, and Insurance coverage.

    Step 3 – Security & Compliance Review
    If the vendor outsources activities to subcontractors, discuss the requirements below with the account manager.

    • ☐ Check access control, encryption, and incident response obligations.
    • ☐ Ensure subcontractors are held to the same security requirements.
    • ☐ Confirm vendor has Business Continuity and Disaster Recovery plans.

    Step 4 – Approval & Documentation
    At this point, a new vendor entry needs to be added in Vanta and populated with the findings and review notes.

    • ☐ Document review findings and approval status.
    • ☐ Store signed agreements and related compliance evidence in a secure repository.
    • ☐ Ensure version control for contract updates or renewals.

    Step 5 – Ongoing Monitoring
    Both SOC 2 and ISO27001 require a review of vendors on an annual basis.

    • ☐ Review agreements periodically ( annually).
    • ☐ Require updated SOC 2 reports and certifications
    • ☐ Reassess clauses if business or regulatory requirements change.
    • ☐ Monitor vendor’s performance against SLAs
    • ☐ Track incidents, breaches, or regulatory actions affecting the vendor

    5. Outputs / Evidence
    All the artifacts below can be stored in Vanta for that specific vendor under the Security Review section.

    β€’ Completed contract review checklist
    β€’ Approval sign-off records
    β€’ Archived copies of executed agreements
    β€’ Audit trail of vendor monitoring activities

    Related

    Gemini Gem - Vendor Review Expert