CIS Controls 15.3: Classify Service Providers
Service provider risk management starts with classification. CIS Controls 15.3 requires you to categorize third parties based on data sensitivity, availability needs, and regulatory exposure—then review those classifications annually or when business changes occur. This systematic approach prevents treating all vendors equally and focuses your security efforts where they matter most.
What this means
Classification transforms vendor management from reactive to strategic. You must evaluate each service provider across multiple dimensions: how sensitive the data they access is, how much data volume they handle, your operational dependence on their availability, which regulations apply to their role, and both inherent and mitigated risk levels. This creates a clear tier system—critical vendors receive deeper scrutiny than commodity service providers. Classifications must stay current; annual reviews are mandatory, and immediate reassessment is required whenever significant organizational changes (like new integrations, system migrations, or regulatory shifts) could alter risk profiles.
How to comply
- 1.Identify all active service providers across your organization, including SaaS vendors, consultants, managed service providers, and infrastructure partners
- 2.Define classification criteria aligned with your business: data sensitivity levels, data volume thresholds, availability criticality, applicable regulations (HIPAA, PCI-DSS, GDPR), and risk scoring methodology
- 3.Assign each service provider to a classification tier (e.g., Critical, High, Medium, Low) based on your defined criteria
- 4.Document the rationale for each classification, including which characteristics drove the assessment
- 5.Establish an annual review calendar to reassess all service provider classifications
- 6.Create a trigger-based reassessment process for major enterprise changes: new regulations, system migrations, acquisition/divestiture activity, or vendor scope changes
- 7.Maintain a centralized register of all service providers with current classifications and last review date
- 8.Use classifications to inform vendor due diligence scope, contract requirements, and ongoing monitoring intensity
Evidence auditors look for
- Documented service provider inventory with classification tier assignments
- Classification methodology and criteria definition document
- Risk assessment worksheets showing data sensitivity, volume, availability, and regulatory mapping for each vendor
- Annual classification review records dated and approved by management
- Change log documenting when vendors moved between classification tiers and the reason
- Vendor management policy referencing classification requirements and review cadence
- Contract templates with service level and security requirements tiered by classification level
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates service provider classification workflows with pre-built risk matrices, centralizes vendor assessments and review dates, and triggers reassessment reminders for annual cycles and material business changes—eliminating manual tracking and compliance gaps.
See how GRCWatch handles this control automatically
Start free trial