Similarly to some of the others who have replied, we risk rate our vendors/products when we complete their regular risk assessment on a cycle according to criticality and/or inherent risk.
- Critical vendors' products (regardless of inherent risk rating), High, and Moderate-High risk products - Annually
- Moderate risk products - every 2 years
- Low-Moderate, and Low risk products - every 3 years
If something has changed with the vendor or the product, the risk rating from the inherent risk assessment may change accordingly. For example, if we migrate an in-house system to a cloud based solution, even if it is the same product from the same vendor, the risk rating
may increase to a higher level putting that vendor/product on a different cycle. Hopefully, we in vendor management will be made aware of that type change before the fact and will complete an assessment as if it were a new product.
Original Message:
Sent: 05-05-2020 09:49 AM
From: Anonymous Member
Subject: Risk Rating
This message was posted by a user wishing to remain anonymous
Not sure if this has been discussed before.
Do you all do risk rating (high,med,low) for your vendors every year on all your vendors regardless of rating or do you just do the high risk and medium risk vendors yearly.