CIS Control 15.5: Assess Service Providers
Service providers represent a critical attack surface for your organization. CIS Control 15.5 requires you to systematically assess vendors and recertify them annually to ensure they meet your security and compliance standards. This control is foundational to vendor risk management and helps prevent supply chain breaches.
What this means
You must evaluate all service providers against a documented assessment policy that defines scope based on data classification and vendor risk tier. Assessments can leverage standardized reports like SOC 2 Type II and PCI Attestation of Compliance (AoC), or CSP-provided security assessments. At minimum, you must recertify every service provider annually to confirm they maintain baseline security controls and haven't introduced new risks.
How to comply
- 1.Document a service provider assessment policy that defines scope, frequency, and criteria based on data classification and vendor criticality
- 2.Classify service providers into risk tiers (critical, high, medium, low) and assign assessment requirements accordingly
- 3.Request standardized security reports from vendors (SOC 2 Type II, ISO 27001, PCI AoC) or conduct custom assessments for high-risk providers
- 4.Review assessment reports for control gaps, remediation timelines, and compensating controls
- 5.Schedule annual recertification reviews 30–60 days before vendor contract renewals
- 6.Document all assessments in a vendor risk register with pass/fail decisions and remediation tracking
- 7.Establish a process to re-assess vendors after significant security incidents or control failures
Evidence auditors look for
- Service provider assessment policy with defined scope and risk-based evaluation criteria
- SOC 2 Type II, ISO 27001, or PCI DSS attestation reports from critical vendors
- Vendor risk register documenting assessment dates, control findings, and remediation status
- Annual recertification sign-offs confirming vendor compliance within the past 12 months
- Assessment questionnaires completed by vendors with responses mapped to control requirements
- Incident logs showing vendors re-assessed after security events or control failures
- Contract addendums or amendments requiring vendors to maintain security certifications
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates vendor assessment scheduling, tracks SOC 2 and attestation report expiration dates, and flags vendors due for annual recertification—eliminating manual spreadsheet tracking and ensuring no vendor falls through the cracks.
See how GRCWatch handles this control automatically
Start free trial