If you think like an auditor, criticality will override the low-risk rating. Since the internet is a critical service for your organization, you should be doing more exhaustive diligence. But, due diligence for internet providers can be a tricky business. Typically providers will not participate in your due diligence efforts. And most of these services are purchased via their standard agreement, leaving your organization no room to make demands or negotiate. Still, your organization bears the responsibility of conducting due diligence.
The question is how to get the information you need, to evidence that you took reasonable care?
Over the years, I have learned several research techniques that can assist you when no information is available directly from the vendor.
- Review the provider's web page, and look for "technical, compliance, or privacy" sections. Many providers publish information for their customers.
- Search "XYZ company GRI or SASB report." Global Reporting Index (GRI) and Sustainability Accounting Standards Board (SASB) are both organizations that set standards around ESG (environmental, social, and governance) reporting. These reports are often a treasure trove of data and provide direct links to policies, certifications, and other information that can be used to substantiate due diligence efforts
- Basic internet search "xzy company SOC2 compliance."
- Dunn and Bradstreet Reports
- Data and reporting from risk monitoring and alert services
While you may not be able to meet your standard due diligence evidence requirements, you can still demonstrate your efforts, which is always better than nothing.
Hopefully, this information was helpful, but I would love to hear from other members.