Which of the following BEST describes how an organization should manage security risk associated with a third-party vendor after the contract has been signed?
Conduct an initial due-diligence review, then implement ongoing monitoring and periodic reassessments throughout the relationship.
Perform the due-diligence review only at onboarding; reassess the vendor again only if a security incident occurs.
Rely solely on service-level agreements and accept residual risk without further monitoring.
Delegate all risk monitoring to the vendor's internal audit function and review their reports annually without independent verification.
Effective third-party risk management does not end with the onboarding due-diligence review. Organizations should establish continuous monitoring and schedule periodic reassessments so that new threats, regulatory changes, or changes in the vendor's security posture are detected and addressed in a timely manner. Simply relying on the initial review, contractual service-level agreements, or the vendor's own internal audits without independent follow-up can leave significant gaps in risk coverage.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is ongoing monitoring of third-party vendors important?
Open an interactive chat with Bash
What are some examples of periodic reassessment activities?
Open an interactive chat with Bash
What is a service-level agreement (SLA), and why is it not sufficient on its own for risk monitoring?