Vendor Assessments are assessments that are being performed by (potential) customers. Depending on the customer the assessment can vary from a simple self-assessment form to PEN Test on your application. Your audit is performed by third parties.
It is important to list all your vendor assessments and keep that information in one place, so you can re-use the information you have provided and work efficiently.
You can also re-use the assessment and replace it with an annual assessment of your ISMS activities.
- Privacy assessment can replace your GDPR assessment review.
- If you are lucky, a customer will perform a PEN Test. That is normally a very expensive exercise and can replace (parts of) your DRP – test plan.
Make sure that you take these assessments seriously and document if you made improvements or changes by adding improvements in Compleye Online Section Improvement – labeled as vendor assessment.
Change in Interested Parties & Legal Requirements
If you make certain improvements/changes – just for a particular client – it is recommended to add that in the section Interested Parties & Legal Requirements. In this way, you will review on a yearly basis if that improvement/change is still needed. If you will stop doing business with that customer you can delete that specific requirement. Because some corporate companies can be very demanding on small details and are stricter than standards or regulations.
You can always decide whether some requirements can benefit your operations and quality or security in general, and in that case, you will not need to add them to the section.