Hi all,
I'm new to the Vendor Management world, so forgive me if this question is ignorant:
I am wondering what your thought process/approach is when gathering documents for a risk assessment, initial due diligence, etc. Specifically, do you request policies such as Information Security Policies, Background Check Policies, etc. when they may be defined within a SOC Report?
Or, do you typically request these documents only
if it is not listed in a SOC report? Basically, I am trying to determine if a policy being detailed in a SOC report is typically 'good enough' to satisfy obtaining specific policies. Until now, I've been requesting specific policies, only to find them detailed within the SOC report, so I didn't know if asking for both was a redundant effort.
Thanks!