VND-006 Vendor Monitoring and Performance Review
Description
Vendor performance, security posture, and compliance with contractual security obligations are reviewed at defined intervals (at least annually) and upon significant changes. Reviews include assessment of incident history, audit reports, certifications, and service delivery against SLAs. Findings are documented and escalated where material deficiencies are identified.
Rationale
Vendor risk is not static. A supplier that passed initial due diligence may deteriorate over time. Ongoing monitoring ensures the organisation detects changes before they become material risks.
Framework Mappings (8)
| STA-12 | Supply Chain Agreement Review | full |
| STA-13 | Supply Chain Compliance Assessment | full |
| STA-14 | Supply Chain Service Agreement Compliance | partial |
| STA-15 | Supply Chain Governance Review | partial |
| 5.22 | Monitoring, review and change management of supplier services | full |
| SR-6 | Supplier Assessments and Reviews | partial |
| MANAGE 3.1 | Third-Party AI Risk Monitoring and Controls | partial |
| CC9.2 | Vendor and Business Partner Risk Management | partial |
Evidence (2)
Completed vendor review records documenting periodic reassessment of vendor security posture, compliance, and contractual adherence.
Example: Annual vendor review records (vendor management system / Jira) for top-tier vendors from the last 12 months — each showing: review date, reviewer, security posture re-assessment (updated SOC 2 / SIG questionnaire), SLA performance review, incident history check, and any escalated findings with resolution status
Test: Request vendor review records for 5 critical vendors over the last 12 months. Verify: (1) a formal review was conducted for each vendor within the last 12 months, (2) each review includes a security posture assessment (updated certificate or questionnaire response), (3) any identified deficiencies are tracked to resolution, (4) review was signed off by a named owner (procurement, security, or risk team).
Vendor risk register or monitoring report showing current risk ratings for all active vendors with trend information.
Example: Vendor Risk Register (SecurityScorecard / Vanta / spreadsheet) — showing all active vendors with current risk tier, last assessment date, open findings, and score trend (improved / stable / deteriorated) over the last 12 months
Test: Request the vendor risk register. Verify: (1) all active vendors with access to organisational data are present, (2) each vendor has a current risk rating with a review date within 12 months, (3) any vendors rated High or Critical risk have documented remediation plans or exit justifications, (4) register is maintained by a named owner.
Questions (2)
Are vendor security posture, compliance, and contractual performance reviewed at defined intervals (at least annually) with documented findings and escalation of material deficiencies?
Reviews should include: updated security certifications or questionnaire responses, incident history check, SLA performance, and any open findings from the previous review. Material deficiencies should be escalated and tracked to resolution.
What triggers a vendor security review outside of the regular annual cycle?
Event-triggered reviews are critical because vendor risk does not change on a fixed annual schedule. Vendor breaches and significant service changes should always trigger an unscheduled reassessment.