Vendor Risk Mgmt
Assess, monitor, and manage security risks from third-party vendors and service providers.
7 of 9 frameworks cover this control
Framework Mappings
How Vendor Risk Mgmt maps to each of the 6 cybersecurity frameworks tracked by ControlMap.
| Framework | Status | Control IDs |
|---|---|---|
| NIST CSF 2.0 | Covered | GV.SC-01 GV.SC-03 GV.SC-06 |
| ISO 27001 | Covered | A.5.19 A.5.20 A.5.21 A.5.22 |
| CIS v8 | Not Covered | — |
| SOC 2 | Covered | CC9.2 CC3.2 |
| PCI DSS | Covered | 12.8.1 12.8.2 12.8.3 12.8.4 12.8.5 |
| CMMC | Not Covered | — |
| 800-53 | Covered | SA-9 SR-6 PM-30 |
| HIPAA | Covered | §164.308(b)(1) §164.314(a)(1) §164.314(a)(2)(i) |
| GDPR | Covered | Art.28(1) Art.28(2) Art.28(3) |
About Vendor Risk Mgmt
Vendor Risk Mgmt is a cybersecurity control in the Govern domain. Assess, monitor, and manage security risks from third-party vendors and service providers. Vendor risk management provides a structured approach to evaluating, onboarding, and continuously monitoring the security practices of third-party vendors, suppliers, and service providers that handle organizational data or have access to systems. The program should include standardized security assessment questionnaires, review of SOC 2 reports and ISO 27001 certifications, contractual security requirements including right-to-audit clauses, and ongoing monitoring through security rating services or periodic reassessments. As organizations increasingly rely on third-party services, vendor risk management has become essential for maintaining security across the extended enterprise and satisfying compliance requirements under frameworks like SOC 2, PCI DSS, and ISO 27001.
This control is recognized by 7 of the 6 major frameworks: NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, 800-53, HIPAA, GDPR. It is not covered by CIS v8, CMMC, representing a potential gap for organizations relying solely on those frameworks.