Hi Audrey –
There are a few "it depends" involved, but generally at a high level to assess a vendor who poses risks related to cybersecurity, I would encourage reviewing the following items and responses at a minimum:
- Summary letter from most recent penetration test
- Most recent SOC report or report/certificate from recent audit or assessment performed by a third party
- Request a summary of significant infrastructure and security changes which have occurred since original due diligence review.
Many organizations perform full due diligence reviews as a part of contract renewal while others will select a subset, such as the above.
I'm always looking to hear what others are doing for cybersecurity review at contract renewal.
Original Message:
Sent: 08-31-2022 10:20 AM
From: Audrey Prokop
Subject: Renewal Questionnaires
Good morning everyone!
I'm working on creating a renewal/reassessment vendor questionnaire specific to cyber security. Does anyone have an example of the types of questions that you ask at renewal time?
Thank you!
Audrey