If you are concerned about how your third parties will handle your data, this Application is for you. Risk Cloud’s Third-Party Risk Management: ISO 27001 Application provides a targeted assessment of third parties’ information security postures. By centralizing your vendor network, you can start to build vendor risk management processes that are robust, repeatable, and flexible enough to grow with your business.

How It Works

Risk Cloud’s Third-Party Risk Management: ISO 27001 Application allows you to assess your third parties by leveraging controls listed in Annex A of ISO/IEC 27001:2013. It assesses the sensitivity of the data accessed by the third party. The criticality of each third-party service determines the assessment scope.

• Lite assessments: If a third party is neither data sensitive nor business critical, a Lite assessment is triggered, requiring the third party to state (yes or no) whether they have implemented 20 Annex A controls (yes or no).
• Base assessments: If a third party is either data sensitive or business critical, a Base assessment is triggered, which requires the third party to state whether they have implemented 20 Annex A controls and provide supporting evidence for each control.
• Advanced assessments: An Advanced assessment is triggered if a third party is data sensitive and business-critical. Advanced assessments require the third party to state whether they have implemented 40 Annex A controls and provide supporting evidence for the 20 controls that are part of the Lite/Base assessment.

If you have an active ISO/IEC 27001:2013 license, you can also conduct a Comprehensive assessment of third parties, which will require your third parties to state whether they have implemented all 114 controls listed in Annex A for ISO/IEC 27001:2013.

Why You Need It

• Actionable reporting: Assess and mitigate potential third-party risks by gathering and analyzing key information about vendors and suppliers.
• Save time: Respond to and review brief questionnaires while still collecting critical information.
• Automation: Send questionnaires and receive notifications on due dates automatically.
• Centralized documentation: Track and store vendor assessments and information in one location for easy access.
• Effortless collaboration: Simultaneously send and track questionnaires to multiple external users.
• Secure collaboration: Protect sensitive data and better control who can access records with one-time passcodes for external users.