What type of documents should I collect from a third party reseller of IT services.
For the benefit of other members, I thought I would quickly describe the role of a third-party IT reseller. An IT reseller, also known as a channel partner or retailer, is a company that purchases technology products or services from a manufacturer, distributor, or wholesaler. The reseller then sells the technology products or services to the customer, which is typically an IT department of a company.
Most IT resellers provide SaaS offerings (or software essentially) or hardware and peripherals. Third-party resellers service those customers who do not have enough spend to work directly with the SaaS provider (example CISCO has a set spend threshold to purchase directly through them) or whose products are sold exclusively through resellers (example Adobe). Just like any other product or service the due diligence required should be based on the risk involved in the engagement. Your inherent risk assessment should be informing your scope of due diligence. For example, any product or service that involves accessing, processing, transmitting, and storing PII would require full cybersecurity and privacy due diligence.
In the case of a reseller, based on my assumptions in this case, the risk is usually low, because the vendor doesn't typically require access to sensitive data, nor are they critical to your operations. Essentially, they are selling you software and sometimes the licenses. But, again the best way to determine the risk is to complete your internal inherent risk assessment. I am including this helpful Vendor Due Diligence Checklist as a resource for you to help you identify which documents you need to collect. But if there are other members that have thoughts or suggestions here, we would love to hear from you.