Due Diligence and Ongoing Monitoring

  • 1.  Out of Scope Vendors

    This message was posted by a user wishing to remain anonymous
    Posted 07-15-2021 06:48 PM
    This message was posted by a user wishing to remain anonymous

    would anyone be willing to share their out of scope paragraph; especially if it has survived reviews/audits?

  • 2.  RE: Out of Scope Vendors

    Posted 07-20-2021 09:18 AM
    When defining your out of scope vendors, it's up to you and/or perhaps your particular auditor and organizational appetite on on whether or not your "paragraph" (assuming in your VRM Policy?) has more or less detail. Here is an example of a broad statement: 
    TPRM is intended to apply to all third-party relationships entered into by ABC Company, as communicated to the TPRM Department, including but not limited to: vendors, service providers, processors, business partners, program managers and marketers and other third parties, with whom ABC Company contracts for purposes of obtaining products or services, or who collaborate with the ABC Company in providing products and services in the marketplace. Not in scope for this TPRM Policy:
    • Relationships with customers of ABC Company
    • Relationships with third-party providers of goods or products (or their sub-providers) which may reasonably be considered incidental to ABC Company's operations or lines of business and have no material or risk impact
    With that said, I believe it is becoming more popular to list out additional entities that are out of scope for your program, such as: Utilities, government entities, attorneys, hardware providers, or individual contractors and consultants. Here is some additional information: How-to Guide: Determining Vendors that Are In Scope and Out of Scope
    I always like to hear what other people have to say about their scoping process, and what is determined out of scope. In the many organizations I've discussed this with, there always seems to be slightly varying opinions and appetites.