Enterprise Resource Planning solutions will typically be critical vendors with high risk driven by the companies data involved. The answer is yes, consider the implementation, not just the solution/vendor level of due-diligence. This is because solution locations vary (on-premise vs cloud), support models vary, so in the end, your control requirements of the vendor will also vary for areas like Availability/BC/DR and InfoSec/Cyber.
I'd love to hear other members' thoughts.
Original Message:
Sent: 03-08-2023 12:47 PM
From: Anonymous Member
Subject: ERP and other Enterprise Solutions
This message was posted by a user wishing to remain anonymous
Hello Community,
How are folks scoping and conducting assessments for enterprise solutions such as big name ERP solutions? SOC2's and long lists of compliance certifications are readily available for these third parties but my question is more specific to scoping and the breadth of these assessments. Is a common approach to assess beyond the solution and its operating environment and over to the implementation specifics and internal management of the solution?
Thank you