Assessing risk at both the vendor and product/service level is definitely a best practice because it gives your organization the bigger picture of the types of risks you need to manage. If you assess risk at the vendor level only, there's a chance you can overlook some of the unique risks that lie within each individual product or service.
I would recommend doing an assessment at the product/service level first to understand where the highest level of inherent risk is. This could be done with whichever questionnaire(s) your organization uses. These individual risk ratings will ultimately help you perform an assessment at the vendor level. Here's an example that might help.
Your core processor provides three services – a platform as a service, consulting services, and compliance testing. A risk assessment for each service might produce the following results:
- Platform as a service - Critical, high information security risk
- Consulting – Non-critical, moderate strategic risk
- Compliance testing – Non-critical, high compliance risk
The vendor can then be assessed as an entity. This vendor would be considered critical and high-risk because the overall vendor risk rating always defaults to the highest engagement rating and criticality.
I hope my reply helps and I'm eager to hear from the rest of the community!
Original Message:
Sent: 03-25-2024 01:56 PM
From: Anonymous Member
Subject: Risk Assessments at the Products/Services level
This message was posted by a user wishing to remain anonymous
Hello,
I am wondering if anyone does risk assessments at both the vendor and the product/service level? If so, do you have a questionnaire that you use based on the service/product being contracted out? E.g., a software company has to do an assessment at the company level and also a different one on the software they provide with more of a focus on technical controls while a utility company has a different product/service assessment that they need to do.
Thanks for any help.