When evaluating a vendor's risk for your organization, consider factors such as the Recovery Time Objective (RTO) and their access to sensitive information. For high-risk vendors, you can conduct a remote assessment focused on the specific product or service your organization relies on. During the session, request their test documentation from the last recovery test, verifying details like the test date and any encountered issues. Additionally, inquire about their backup processes related to critical services. Alternatively, you can verify BCDR processes through attested documents like SOC 2 reports or ISO 22301 certifications. Document the remote assessment or Webex session in a memo as evidence of the review. For such vendors, consider documenting adequate SLA's within the contract, specifying the due diligence documentation required at the time of review during the next renewal.
Consider revisiting the business unit that relies on the third party. Understand their maximum tolerable downtime and the contingencies they have in place in case the vendor experiences disruptions. This understanding will inform recovery strategies within the organization.
Original Message:
Sent: 07-08-2024 11:26 AM
From: Joy Simmons
Subject: BCP/DR Alternative Documentation
Good Morning TPRM Professionals,
I'm curious to know what alternative documentation you use for a BCP/DR Assessment when the company does not provide their BCP or DR Plan due to Privacy?