This message was posted by a user wishing to remain anonymous
I am certainly routing for your success here, but I have reservations on what your success rate will be here because of the potential of the overhead your process would cause your vendors. Mind you, I do not know which industry you are, or how large your organization is. Those two factors certainly impact your success rate.
Would your framework speak to strictly internal controls at your vendors, or is your concern regarding the controls for the services/systems they provide to you? Those can be two entirely separate things.
We send our vendors a custom questionnaire that is designed to fill out the potential gaps that we may not be able to fill when review a vendor's due diligence. Different vendors provide different things. We have vendors that refuse to complete that questionnaire, so I use that as a supporting reason for my reservation regarding your success.
My approach here would be to seek to map controls that you are able to identify in vendor due diligence, to a control framework. What you use is up to you here, but there are many options. Depending on what industry your vendor targets, you may have more success with with framework over another.
I look forward to hearing if you have success in your endeavours.
Original Message:
Sent: 03-15-2023 05:06 PM
From: Anonymous Member
Subject: Third-Party Cyber Security Control Requirements
This message was posted by a user wishing to remain anonymous
We are in the process of trying to establish a third-party control requirements document (either a Framework or Standard) that would define the cyber security controls that our 3rd parties would be required to have. We would utilize this document in our third-party assessment process. How have others handled these requirements and has it been difficult to provide evidence of adherence to these requirements since this is defining what the 3rd parties need to have in place. The concern lies with the 3rd parties that do not trigger a third-party assessment.