But with so many moving parts, creating a supplier risk management plan – and executing on it – can be a challenging and arduous task. According to Gartner, 60% of organizations work with more than 1,000 third-party vendors. That’s a huge pool of companies that require assessments, including both onboarding and throughout the relationship lifecycle.
While there are many cyber risk management frameworks and cybersecurity maturity models that you can reference, it’s hard to know where to start. To help, we’ve outlined a template of the key things you should include in your supplier risk management plan so that you can kickstart your vendor assessments with three easy steps.
A template for your supplier risk management plan
When crafting your plan, there are three key areas to consider:
- Which cybersecurity frameworks you will assess your vendors against
- The most critical questions you should ask them
- How you will continuously monitor supply chain cyber risk
Let’s look at each:
1. Determine the best cyber risk assessment methodologies
Cybersecurity frameworks provide a common language and set of standards for assessing your vendors’ security postures and are helpful starting points for informing your plan.There are several frameworks that you can consider but we suggest you start with three:
- CIS Controls: Formerly known as Critical Security Controls or the SANS Top 20, this framework contains a list of security recommendations and controls that can guide your security improvement program. When incorporated into your supplier risk management plan, CIS Controls are a useful benchmark for assessing your vendors’ security performances using guidelines trusted historically by many organizations.
- NIST Cybersecurity Framework: Considered the gold standard for assessing cybersecurity maturity; this framework combines a variety of cybersecurity standards and best practices (including CIS Controls) into one understandable document. It’s a useful reference for assessing vendor risk because it incorporates governance and technology considerations, whereas CIS Controls are focused on technology alone.
- Shared Assessments: A trusted source dedicated to developing best practices, education, and tools that drive third-party risk assurance. This organization is best known for its industry-leading vendor risk assessment tool – the Standardized Information Gathering (SIG) Questionnaire. Updated annually, it aligns with 50+ government regulations and industry standards.
2. Identify the critical questions you must ask your vendors
While these cybersecurity frameworks are valuable, there are literally thousands of questions you could mine from them. Knowing which are the most important to your organization isn’t easy. To help jumpstart the process of building your template, we’ve compiled a list of the 40 Questions You Should Have in Your Vendor Security Assessment.
Are You Asking Your Vendors The Right Questions?
We've gathered a comprehensive list of questions to make sure you're properly evaluating your vendors' cybersecurity practices.
This guide blends both NIST and CIS Controls frameworks and provides a baseline of the most critical questions you should ask your vendors. For instance:
- Does the vendor conduct drills and exercises to nail down their incident response?
- How are these incidents reported?
- When was the last time they had a cybersecurity assessment performed by a third-party?
- What were the results of their most recent penetration test?
- Plus many more...
Your plan should also include a process for validating responses. But you don’t need to conduct lengthy and costly on-site assessments of each vendor.
Instead, use a tool like BitSight Security Ratings to verify your suppliers’ security performance. Security ratings provide an objective, data-driven representation of your vendors’ security postures. For example, the BitSight platform can identify if a vendor’s IT infrastructure has known security vulnerabilities, compromised systems, or fails to adhere to industry best practices. The higher the rating, the better the security posture.
3. Plan to continuously monitor your vendors for cyber risk
While cyber security risk assessments and questionnaires are among the most powerful tools for assessing your vendors’ security postures, traditionally, they have only captured a snapshot of risk. In between assessments, vulnerabilities can emerge without your knowledge and put your organization at risk.
That’s why your plan should include a strategy for continuously monitoring your third parties in near real-time – over the lifecycle of the relationship.
Again, this doesn’t have to be a complex or unwieldy exercise. Using security ratings, you can automatically and continuously evaluate your vendors for cyber risk.
Continuous Monitoring for Vendor Risk Management
Learn how continuously monitoring your entire pool of vendors can reduce overall program risk and increase efficiency in your cybersecurity program.
Start by setting acceptable vendor risk thresholds based on your industry and the criticality of the supplier. Then, bake those into your plan. Once onboarded, monitor your vendors for movement against these thresholds. If a vendor’s rating falls below a certain score the BitSight platform will alert you. With this insight, you can work with the vendor to remediate the issue or determine if a deeper security assessment is required.
It’s a great way of staying on top of emerging risk without waiting for the next periodic assessment and all the work it entails.
Turn your supplier risk management plan into an enabler, not a roadblock
Assessing supply chain risk can seem overwhelming. Before you dive in, develop a plan that takes into consideration frameworks grounded in best practices. Then automate wherever possible. It will save you time, reduce costs, and allow you to scale your supply chain risk management practice with ease.
