Each contract is unique. But what often works as a starting point from the it-audit/InfoSec point of view is the language as: „… completed or exceeds controls in our latest InfoSec program. In this way, the vendor process as an extension of your process is imposed as well as what you have internally. To go further, some third parties are actually relocating some of their own projects to additional resources. If it`s a shock, don`t worry. It is common practice for suppliers to do so without the consent or knowledge of the company for which they work. However, this is an essential part of the management of third-party agreements. First, you get your team on the same page. This means that inter-Geneva stakeholders in public procurement, information TECHNOLOGY, finance and executives will be organized, to which suppliers – and, of course, data protection officers – will be organized to assist in the implementation and review of new third-party agreements.

Next, identify the critical risk categories on which you assess new third parties: strategic, reputational, operational, financial, compliance, security and/or fraud. Since I have both an audit background and a computer security background, I am often busy helping clients solve contractual problems. The activities lenders do for your contract organization extend your internal processes. Thus, your contracts can affect ISO 27001 certification, compliance with legislation, business continuation, etc., not to mention your InfoSec position. I often check contracts that don`t have security or data protection rules. In other words, the customer gives his data to the supplier and assumes that he knows what he is doing. No level of service or other parameter is contractually defined. After these standard provisions have been established, they can be included in different agreements or used with the checklist to evaluate supplier agreements. In your vendor agreements, the following topics are recommended: The first step in this process is the creation and updating of a continuous sheet inventory of updates and data protection and security requirements. You can then use this database to perform a similar scan of each of your lender contracts. They should look at certain terms of the contract and certain data processing agreements (DPAs) under contracts. If you are a company where there is no credit rating and monitoring process, you are not alone.

Even if you`ve created these items, they may be completed and managed in Excel tables. Worse, you probably use a unique approach to analyze each vendor. This hidden danger? Third-party agreements.