Vendor review is a process by which an organization can understand the potential risks of utilizing a vendor’s product or service, as well as an ongoing process to ensure that quality security practices are being maintained in an ongoing fashion. A vendor review process will assess a vendor’s capacity to maintain effective and appropriate security practices and other performance elements critical to an organization’s business. Vendor review is particularly critical when vendors will have access to sensitive internal or customer data.

An organization may develop different vendor review processes for its different vendor types. Vendor reviews will address a range of areas of risk that working with the vendor could pose to an organization, including but not limited to review of a vendor’s physical environment security, organizational security, human resource security, data handling processes, asset management, and more.

Establishing and maintaining regular vendor review processes will help ensure that an organization is effectively monitoring not only its internal security processes, but the security of all the services that comprise its operational ecosystem. If vendors have access to a company’s internal or customer data, the quality of their security practices is as important as the quality of an organization’s own practices.