Back to Playbook Visit Our Blog

Capability
Third-Party Assessment Engagement

Periodically conduct an assessment engagement of each third party to gain privileged visibility to the risk management program. Tune the assessment plan based on third-party inherent risk and known strengths and weaknesses.

What

Periodically execute a privileged-access assessment of each third party. Tune the assessment plan based on third-party inherent risk and known strengths and weaknesses.

Why

Privileged-access assessments provide a comprehensive understanding of the security risk management program from which you can best measure risk exposure and prescribe recommendations for tactical and systemic performance improvement.

How

Prepare for the assessment by reviewing prior assessments and continuous surface assessment data. Familiarize yourself with the organization’s IT profile, including hosting providers, hosting geo-locations, and technology stack. Modify the assessment plan to go deep into areas of control weakness and back off on areas of strength.

Use the third party representations to understand how they have invested in risk-management people, processes, and technology. Use the objective continuous surface assessment data to inform you of how well they have implemented and are operating their risk-management program. Also, use the surface assessment data to validate third-party claims, calling out technical gaps and identifying root cause issues.

Practice Status Adoption
Conduct third-party enterprise assessments according to established standards and methodology. Common 90%
Discuss the status of open issues from previous assessments with the third party. Common 80%
Adjust the assessment plan based on the results of prior third-party assessment engagements. Common 53%
Adjust the assessment plan based on the continuous surface assessment results. Pioneering 17%