We recently dug through 100+ vendor risk assessment templates and released some of our initial findings. We're motivated to understand the prevailing norms in these types of assessments/questionnaires because our clients tend to find themselves on the receiving end of these types of documents on a frequent basis. When we can do a great job of helping our clients predict what security questions are likely to arise, it helps our clients prioritize what security controls to push closer to the top of the prioritization stack.
One of the topics that is almost always covered in vendor risk assessment is the matter of infosec policies and infosec plans. 88% of the vendor risk assessments in our analysis contained questions about plans and policies.
Some of the policies and plans most frequently requested in these assessments, include:
Sometimes the vendor risk assessment asked merely whether the vendor had (or didn't have) such a plan/policy. Other times it asked for the vendor to attach the plan/policy in the response. More analysis on that in a future post.
When we're advising clients about "where to start" in terms of adopting policies, there is an interesting interplay that happens with regard to three popular policy/plan requests. Those three policies/plans, which are often interrelated, are: Business Continuity Plans, Disaster Recovery Plans, and Incident Response Plans.
A full 72% of all vendor risk assessment forms that we evaluated asked for one or more of those interrelated documents.
It's no accident that enterprises are pressing vendors on this trio of topics. A core job of a vendor onboarding team in an enterprise is to shield the enterprise from unwanted risk. Risk such as becoming reliant on a vendor whose business continuity could be put at risk anytime, due to any number of incidents that the vendor might not be able to successfully recover from.
That's the messages that vendors should be receiving from the frequency with which enterprises ask about Business Continuity Plans, Disaster Recovery Plans, and Incident Response Plans.
As a vendor, this is a topic you should be prepared to talk about -- not just by supplying the relevant policies, but also by being prepared to add color to how your team approaches these topics as they design new features and orchestrate technology/hosting infrastructure. By having a confident explanation of your company's approach in these areas, you are very clearly setting a positive tone on a matter that enterprises are probing very carefully.
If you need a hand putting together a great fleet of policies that your company could adopt, we're glad to give you a HUGE jumpstart by supplying you with battle-tested policy templates. If you grab a free trial of our platform and navigate to the Policy Manager section, you'll be able to try out any of the following types of policies: