In terms of when BCP review would be triggered, first and foremost look to your Critical Vendors where the potential impact to you is the highest following vendor disruption. This review should be annual to ensure BC is not just in place, but continuously updated and tested by the vendor. Beyond Critical Vendors, often times higher risk-rated products/services will have drivers for BC reviews as well, so be mindful of relationship to your business demands (all Recovery Time Objectives (RTOs), not just <24 hours), the data that may be in scope and to what extent the product serves or interfaces with customers (especially if that is not a criticality criteria for your Organization).
In terms of how, keep in mind a vendor's Business Continuity review should be in the context of the service you utilize, as well as any of its operations that support it. So ideally your Inherent Risk Assessment will identify what areas of their operation you should target, whether that is availability/resiliency of their people, their premises, technology infrastructure, and yes, their vendors. So do not forget to ask if 4th parties or subcontractors are utilized to support the product or service in question. The vendor should have evidence they include BCP for their vendor disruptions, as well as have TPRM controls in place, if 4th-parties are confirmed.
I'd be interested in hearing what other standards members are using.
Original Message:
Sent: 01-15-2023 08:31 PM
From: Anonymous Member
Subject: BCP review of vendors
This message was posted by a user wishing to remain anonymous
What standard do folks use for determining when to conduct a BCP review of a vendor as part of due diligence?