Hi Amie.
If you do want to implement this, it is best to keep the lines very basic. Where Due Diligence is risk-based and can be very tailored to,
- product/service
- the domains triggered, and
- risk level
Inherent Risk should be pretty consistently assessed to ensure risk ratings/tiers are identified appropriately. Some simple lines in the sand to create 2-3 Inherent Risk Assessments could be:
- Critical / non-critical
- Technology / non-tech
- Confirmed Data Involvement or not (PHI, PII, etc.)
I hope that is helpful, but I would love to hear from other members on this topic.
Original Message:
Sent: 10-25-2022 11:38 AM
From: Amie J
Subject: Inherent risk questionnaire/Vendor categories
Hello everyone, we're looking at expanding beyond our single Inherent Risk Questionnaire. We'd like to tailor them to vendor categories. Would anyone care to share some examples, ideas, or best practices?
Thanks in advance,
Amie J