Which Vendor Risk Assessment Standard is ‘Right’ for Your TPRM Program?
Over the course of the past few months, we have explored the leading risk assessment standards, frameworks, and questionnaires that are relevant to third-party risk management. As this series comes to an end, we want to outline key details about each risk assessment standard to give your team the information needed to choose the assessment right for you.
Note: Many of the risk assessment standards below are used to assess an organizations internal controls, however, because many companies hold their vendors accountable to their own security and privacy standards, these assessments are often used externally.
ISO 27001 – Information Security Management – discusses requirements for establishing, implementing, maintaining and consistently improving an information security management system (ISMS) within an organization. An ISMS helps streamline an organization’s approach to assessing information security risks while ensuring confidentiality, integrity and availability of corporate data. The ISO 27001 standard can be leveraged by internal or external parties to assess an organization’s ability to meet relevant information security requirements.
ISO 27001 is arguably the most widely-recognized information security and risk assessment standard in the world due to the fact that its requirements are applicable to all organizations, notwithstanding size, industry, or geographic location. This risk assessment standard not only helps an organization ensure that information security risks are managed in a cost-effective manner, but it also provides a competitive advantage in demonstrating to customers and partners that the business operates in a trustworthy manner.
- Third-Party Risk Resources for ISO 27001
ISO 27701 – Privacy Information Management – provides guidance for establishing, implementing, maintaining and continually enhancing a Privacy Information Management System (PIMS). ISO 27701 is an extension of ISO 27001 and was designed to improve an existing ISMS by implementing relevant controls to meet privacy regulation requirements (GDPR, CCPA, LGPD, etc.). The certification outlines the framework in which data controllers (including joint personal data controllers) and data processers (including those using subcontractors) must manage and maintain personally identifiable information (PII) to reduce risks associated with an individual’s privacy.
An ISO 27001 certification must already be in place in order for an organization to achieve ISO 27701 certification. Additionally, organizations should be aware that the scope of the PIMS can oftentimes require revising the scope of the ISMS, because of the extended interpretation of “information security” in ISO 27701. Similar to ISO 27001, requirements of this risk assessment standard are applicable to all organizations, notwithstanding size, industry, or geographic location. Organizations meeting ISO 27701 requirements internally often hold their vendors to the same standard, using the assessment to identify a vendor’s security and privacy controls.
- Third-Party Risk Resources for ISO 27701
NIST SP 800-53
NIST SP 800-53 Revision 4 – Security and Privacy Controls for Federal Information Systems and Organizations – outlines security and privacy controls for federal information systems and organizations. These controls are broken down into 18 families ranging from access control, incident response, physical and environmental protection, as well as planning and program management.
Although NIST SP 800-53 Revision 4 outlines controls for U.S. federal government systems and organizations, many global organizations, both public and private, follow NIST guidance to build effective security programs. The final version, Revision 5, is currently in its final draft and will likely expand the applicability for the private sector.
- Third-Party Risk Resources for NIST SP 800-53
SIG Core & SIG Lite
The SIG Core questionnaire supports the assessment of third parties that store or manage highly sensitive or regulated data, such as payment card information or genetic data. This questionnaire not only provides a deeper level of understanding about how a third party secures information and services, but it incorporates many of the industry’s most common industry standards. On the other end of the spectrum, the SIG Lite questionnaire is designed to provide a broad, but high-level understanding about a third party’s internal information security controls. This level is for organizations that need a basic level of third-party due diligence and can lay the groundwork for a more detailed review in the future.
These assessments have grown drastically in popularity as many companies across the globe now rely on the SIG Core and SIG Lite assessments. The questionnaires are created and maintained by the Santa Fe Group (Shared Assessments) and the current membership ecosystem consists of thousands of organizations across all industries.
- Third-Party Risk Resources for SIG Core & SIG Lite
The Consensus Assessments Initiative Questionnaire (CAIQ) is a security risk assessment standard provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to assess information security capabilities of cloud providers. The CAIQ provides a set of yes or no control attestation questions to ascertain a cloud provider’s compliance with the CSA Cloud Controls Matrix (CCM). The CSA CAIQ maps to the CCM, which incorporates dozens of industry standards and frameworks like COBIT, FedRAMP, FERPA, GAPP and more. The questionnaire can be customized to fit an organization’s needs and use cases and is intended to assess the risk of a specific third-party vendor, namely IaaS, PaaS, and SaaS providers.
- Third-Party Risk Resources for CSA CAIQ
While these resources and assessments can be helpful in the development of your third-party risk program and the education of your team, there is still a need to operationalize the collection of these vendor risk assessments. The OneTrust Vendorpedia Cyber Risk Exchange offers organizations a community of shared vendor risk assessments, as well as security and privacy research on 60,000+ third parties, to help streamline due diligence for your third parties.
Want to try it out? We’re offering an extended free trial that includes access to 10 free and completed vendor risk assessments.
Further risk assessment standard reading:
- Vendorpedia blog: The ISO 27001 Assessment: What It Is and Why It Matters
- Vendorpedia blog: The CSA CAIQ Assessment: What It Is and Why It Matters
- Vendorpedia blog: The NIST SP 800-53 Assessment: What It Is and Why It Matters
- Vendorpedia blog: What are the SIG Core and SIG Lite Assessments?
eBook | How the Exchange Assessment Works: Explaining Control Mapping and the Emergence of the SIG Lite