When evaluating a vendor's risk for your organization, consider factors such as the Recovery Time Objective (RTO) and their access to sensitive information. For high-risk vendors, you can conduct a remote assessment focused on the specific product or service your organization relies on. During the session, request their test documentation from the last recovery test, verifying details like the test date and any encountered issues. Additionally, inquire about their backup processes related to critical services. Alternatively, you can verify BCDR processes through attested documents like SOC 2 reports or ISO 22301 certifications. Document the remote assessment or Webex session in a memo as evidence of the review. For such vendors, consider documenting adequate SLA's within the contract, specifying the due diligence documentation required at the time of review during the next renewal.
Consider revisiting the business unit that relies on the third party. Understand their maximum tolerable downtime and the contingencies they have in place in case the vendor experiences disruptions. This understanding will inform recovery strategies within the organization.