CIS Control 15.6: Monitor Service Providers
Your service providers are extensions of your security posture—yet many organizations monitor them only at contract renewal. CIS Control 15.6 requires continuous monitoring to catch vulnerabilities, track security updates, and identify emerging threats. This control is essential for SMBs that rely on third-party vendors but lack dedicated vendor risk teams.
What this means
Monitor service providers on an ongoing basis according to a documented service provider management policy. This includes periodic reassessment of vendor classification (critical vs. non-critical), tracking release notes and security patches from key providers, and monitoring dark web sources for threats targeting your vendors or supply chain. The goal is to detect and respond to vendor-side incidents before they impact your organization.
How to comply
- 1.Document a service provider management policy that defines monitoring scope, frequency, and responsibilities for each vendor tier
- 2.Create a inventory of all active service providers and classify them by risk level (critical, important, standard)
- 3.Establish a process to regularly review vendor security certifications, compliance status, and audit reports
- 4.Subscribe to vendor release notes and security advisory channels for critical and important providers
- 5.Monitor dark web sources and threat intelligence feeds for mentions of your vendors or exploits targeting their products
- 6.Conduct periodic reassessment of service provider classifications as your business and their services evolve
- 7.Document all monitoring activities, findings, and remediation actions taken in response to vendor security issues
- 8.Review vendor monitoring results during management reviews and board reporting
Evidence auditors look for
- Service provider inventory with risk classifications and monitoring schedules
- Documented service provider management policy covering monitoring requirements
- Evidence of vendor security assessment results or SOC 2 reports reviewed
- Screenshots or logs from dark web monitoring tools showing surveillance of vendors
- Vendor release note tracking records (emails, tickets, or monitoring tool exports)
- Remediation tickets or incident reports triggered by vendor security findings
- Service provider reassessment documentation showing updated classifications
- Management meeting minutes discussing vendor risk monitoring findings
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates vendor monitoring by centralizing release note tracking, security assessment scheduling, and dark web alert management—turning fragmented email subscriptions and manual checks into a single compliance dashboard that documents every vendor review for auditors.
See how GRCWatch handles this control automatically
Start free trial