Vendor Management Policy Guide
Due diligence, contracts, ongoing monitoring, and offboarding for subservice organizations.
Vendor Management Policy
Due diligence, contracts, ongoing monitoring, and offboarding for subservice organizations.
Vendor management policy template — Align vendor tiers with SOC-014 subprocessor register. High-risk vendors need SOC reports or equivalent assurance.
Recommended Owner: Security or Procurement | Finance for spend approval
What this file is for
Document purpose
Vendor due diligence, monitoring, and offboarding (CC9.2).
In your program: Tiers must match SOC-014 subprocessor register risk column.
Before you start
Getting Started
- Enable Editing in Word; replace `[` placeholders and delete gray examples.
- Cross-check names and vendors with SOC-002, SOC-004, and Phase 1 COR policies.
Document tour
Fill out the file section by section
Work through the sections below in order. Each block matches a heading or tab in the downloaded COR-008 file.
- Protect data shared with vendors and subprocessors.
- After editing 1. Purpose, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
- All vendors processing customer or confidential data.
- After editing 2. Scope, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
- Critical/High/Medium/Low — same tiers as SOC-014 Subprocessor Register.
- After editing 3. Vendor Risk Tiers, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
- Onboard → monitor → offboard; document each stage owner.
- After editing 4. Vendor Lifecycle, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
- SOC report, questionnaire, DPA before production data — retain in vendor folder.
- After editing 5. Due Diligence Checklist (Critical & High Vendors), search for `[` placeholders and gray sample names — auditors flag incomplete templates.
- Breach notification, subprocessors, audit rights — Legal reviews.
- After editing 6. Contract Requirements, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
- Align carve-out/inclusive language with SOC-004 Section 7.
- After editing 7. Subservice Organizations, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
- Least privilege, MFA, time-bound access for vendor users.
- After editing 8. Vendor Access Standards, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
- Sign and register version in COR-013.
- After editing 9. Review & Approval, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
10. Related Documents
- SOC-014, SOC-020, PRI-004 DPAs if privacy kit used.
- After editing 10. Related Documents, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
11. SOC 2 Mapping
- CC9.2 — update if vendor program changes.
- After editing 11. SOC 2 Mapping, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
Quality check
Before You Finalize
- Tier definitions match SOC-014.
- SOC report collection cadence stated.
Evidence
Where to Store It
- Store the completed file in your compliance evidence folder (signed PDF for policies).
- Register the document in COR-013 with version, owner, and next review date.
- Link the file from your evidence index or SOC-005 project plan when you use Phase 3 trackers.