Which of the following BEST describes how an organization should manage security risk associated with a third-party vendor after the contract has been signed?
Perform the due-diligence review only at onboarding; reassess the vendor again only if a security incident occurs.
Conduct an initial due-diligence review, then implement ongoing monitoring and periodic reassessments throughout the relationship.
Delegate all risk monitoring to the vendor's internal audit function and review their reports annually without independent verification.
Rely solely on service-level agreements and accept residual risk without further monitoring.
Effective third-party risk management does not end with the onboarding due-diligence review. Organizations should establish continuous monitoring and schedule periodic reassessments so that new threats, regulatory changes, or changes in the vendor's security posture are detected and addressed in a timely manner. Simply relying on the initial review, contractual service-level agreements, or the vendor's own internal audits without independent follow-up can leave significant gaps in risk coverage.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is ongoing monitoring of third-party vendors important?
Open an interactive chat with Bash
What are some examples of periodic reassessment activities?
Open an interactive chat with Bash
What is a service-level agreement (SLA), and why is it not sufficient on its own for risk monitoring?