On October 9, CORL is releasing a new feature.
Clients will now have the option to accept a security certification (sec cert) from a vendor in lieu of completing an assessment questionnaire. This provides a streamlined process for both clients and vendors.
Third Party Risk Management Strategy
With the rapid increase in the number of, and dependence on, outside vendors, the typical third party risk management (TPRM) program is facing increased pressure to complete security risk assessments on their vendors and get them onboarded quickly.
In order to scale TPRM operations to meet the demand, it’s critical to be strategic about how you go about assessing your vendor portfolio. Keep in mind, you not only have an onslaught of new vendors entering the organization for the first time, but there are a host of vendors that should be re-assessed on a regular basis, and possibly even a backlog of vendors who have previously been onboarded without ever having been assessed.
It’s not feasible, or even necessary, to put all these vendors through a lengthy assessment process. Instead, a more strategic approach involves relying on validated security certifications as a means for bypassing the more traditional, and less effective, assessment questionnaire.
“SecCert in Lieu of a Full Assessment” is an approach that can be effectively incorporated into a TPRM program’s strategy for assessing their vast vendor population. Consider bypassing a full assessment and accepting a valid security certification in instances including:
- Low to moderate inherent risk vendors where there is limited data sharing with the third party.
- Vendors with higher levels of inherent risk that are not “mission critical” and affect a limited number of users (i.e., department or facility-based solutions; non-enterprise-wide solutions)
- Vendors that have previously demonstrated a strong level of security from prior assessments (i.e., vendors with low to medium likelihood scores being re-assessed as part of a periodic monitoring process)
You’ll want to determine which security certifications or attestations carry the level of rigor that is appropriate for your organization, as not all cover the same scope. And remember to ensure that the vendor is keeping up with their security by getting their security cert renewed and are not left to expire.
Accepting Sec Certs
If you would like to accept sec certs in lieu of questionnaires as part of your TPRM strategy, the first step is to contact your CXM and ask to have the feature activated. Note that there is no additional charge, but the feature is turned off by default.
Let your CXM know if you would like to always accept sec certs or if you would like to have the option to make this decision when you create an assessment request. Also let your CXM know which certifications you would like to accept:
- HITRUST e1
- HITRUST i1
- HITRUST r2
- ISO27001 (2013)
- ISO27001 (2022)
- SOC 2 Type 2
You can also submit a ticket if you prefer. For more information, see Obtain Support.
Submit an Assessment Request
If you opted to determine whether to accept a sec cert when you submit the assessment request, you'll see an additional option.
- Request an assessment.
- In Security Certification, select Yes if you want to allow the vendor to submit a security certification in lieu of completing a questionnaire.
- Complete the assessment request.
- On the last page of the assessment request, there is a new section Accept Security Certification in Lieu of Questionnaire that displays which sec certs you accept.
- CORL will follow the normal process to submit the request to the vendor.
- The vendor will follow a new process to submit the sec cert instead of completing a questionnaire.
- CORL will follow the normal process to create the Executive Summary.
View the Executive Summary
If you opt to select sec certs, you can view the certifications in the Executive Summary.
- View the Executive Summary.
- Click Results and review the Security Certification.