Information Security

Similar to reviewing and assessing SOC reports, does anyone currently do assessments on your third-party vendors' information security policies? If so, would you be willing to share?

Thanks in advance.

Having been on both sides of the table...

As a vendor, I never shared policies outside of the organisation as they were considered to be proprietary. There were times when a policy included requirements that might lead to more questions regarding security operations, again not to be shared.

As a buyer, i had few vendors provide policies. Some would provide coverpages and tables of contents to give an idea of what was included in the policy.

If your vendor has an ISO27001 or PCI certification, or a SOC 2 report, policies are reviewed as part of completing these.

This message was posted by a user wishing to remain anonymous

You mentioned PCI - I have a critical vendor that will have access to a lot of customer information beyond cardholder data.  Their PCI indicates segmented - it is my understanding that this limits the scope of PCI compliance to be specific to cardholder data.  Is that generally the case? I am running into issues trying to get more information from the vendor as they state its proprietary and will not share.  They do not have a SOC 2.  Any advice is much appreciated!

Thanks.