While you asked a simple question, the answer can sometimes be more complex. And while I can't specifically tell you how to define these types of vendors (that is up to your organization), I can tell you what you need to consider in these situations.
With every vendor engagement, your organization must identify if that vendor (product or service) is critical to your organization. Critical vendors can significantly impact your organization or its customers should they fail or have an extended unplanned outage. When we are trying to figure out who is critical, these three questions can help.
If the answer to ANY of these questions is "YES," it's a critical vendor or essential to your day-to-day operations.
Using those criteria, you may determine that your internet or telecom providers are critical. Well, here is the twist, even though those services may be integral to your daily business, they might also be out of scope for your TPRM program. The rationale is that services that fall into the category of public utility, for example, are typically not included in TPRM because:
It is important to consider all these factors because your TPRM program is about identifying and mitigating risks. Even though your phone company is key to your organization's ability to do business, there may be little to nothing your organization can do to effectively mitigate the risks in these relationships, especially regarding the vendor's risk practices and control environment. And would it be reasonable and practical to include them on your list of critical vendors (which require the highest amount of due diligence, monitoring, and management) when your organization is not taking on any unique risks? Probably not, but does that mean you don't have to pay attention to them? Not necessarily. All products and services essential to your day-to-day operations should be considered in your organization's internal business continuity management planning, even if they are out of the scope of your TPRM program.
My advice here is to
I know that is a lot of information to consider, but I hope it is helpful. I would love to hear from other members too.