Due Diligence and Ongoing Monitoring

Good morning everyone! 

I'm working on creating a renewal/reassessment vendor questionnaire specific to cyber security. Does anyone have an example of the types of questions that you ask at renewal time?

Thank you! 

Audrey

Hi Audrey – 

There are a few "it depends" involved, but generally at a high level to assess a vendor who poses risks related to cybersecurity, I would encourage reviewing the following items and responses at a minimum:

• Summary letter from most recent penetration test
• Most recent SOC report or report/certificate from recent audit or assessment performed by a third party
• Request a summary of significant infrastructure and security changes which have occurred since original due diligence review.

Many organizations perform full due diligence reviews as a part of contract renewal while others will select a subset, such as the above.

Hi Aaron, 

This is so helpful, thank you so much! I truly appreciate your help!

Have a wonderful day! 

Audrey
Original Message:
Sent: 09-06-2022 03:00 PM
From: Aaron Kirkpatrick
Subject: Renewal Questionnaires

Hi Audrey – 

There are a few "it depends" involved, but generally at a high level to assess a vendor who poses risks related to cybersecurity, I would encourage reviewing the following items and responses at a minimum:

• Summary letter from most recent penetration test
• Most recent SOC report or report/certificate from recent audit or assessment performed by a third party
• Request a summary of significant infrastructure and security changes which have occurred since original due diligence review.

Many organizations perform full due diligence reviews as a part of contract renewal while others will select a subset, such as the above.

I'm always looking to hear what others are doing for cybersecurity review at contract renewal.