How do you monitor the security control compliance for third party providers?



  • I wonder what a small startup would typically do concerning third-party compliance?

    Are you expected to send third-party vendors a security questionnaire? Do you need to do that regularly?



  • It depends on your risks and if you need a certain level of assurance in order to keep your risks to an acceptable level.

    Questionnaires are standard, but you need a security person who can understand the responses.

    Most 3rd parties get assurance from 3rd party auditing and certification. That's where SOC 2 Type 2 reports come in handy, ISO 27k certification, etc.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2