This message was posted by a user wishing to remain anonymous
We are having a discussion at our company on the risk assessment questions pertaining to cybersecurity of vendors when the vendor offer multiple products. Do you assess a vendor by product offering or just the vendor itself? What are you doing with some of these big vendors that have acquired companies and the operating systems may be completely different? We have been requesting a SOC 2 for the services that the vendor is providing to us. But we now find ourselves with the same vendor and multiple services. We thought about putting all of the services under one vendor, however, the business owner and vendor contacts are different. We do not want to send multiple questionnaires to the same vendor for each product. Can anyone offer any insight if you have dealt with this?
Thanks.