Essential Security Checks Before Signing a Vendor Contract

Due Diligence Before Commitment

Once a vendor contract is signed, your leverage to demand security improvements drops significantly. Pre-contract due diligence is your best opportunity to assess whether a vendor meets your security requirements and to negotiate necessary controls into the agreement. Skipping this step and discovering security deficiencies after onboarding costs far more to remediate.

Security Certifications and Compliance

Request and verify current certifications:

• SOC 2 Type II: Demonstrates that the vendor's controls have been tested and operate effectively over a period (typically 6-12 months). Prefer Type II over Type I, which only evaluates control design at a point in time.
• ISO 27001: International standard for information security management systems. Check the certificate scope to ensure it covers the services relevant to your engagement.
• PCI DSS: Required if the vendor processes payment card data.
• HITRUST: Relevant for healthcare data processing.
• CSA STAR: For cloud service providers.

Certifications are a starting point, not a guarantee. They complement, not replace, your own assessment.

Penetration Testing

Request the vendor's most recent penetration test report (or at minimum, an executive summary). Look for:

• When was the test conducted? (Should be within the last 12 months)
• Who conducted it? (A reputable, independent firm)
• Were critical or high-severity findings identified?
• Have findings been remediated?

Business Continuity and Disaster Recovery

• Does the vendor have a documented BCP/DR plan?
• How often is it tested?
• What are the Recovery Time Objective (RTO) and Recovery Point Objective (RPO)?
• Does the vendor maintain geographically diverse backups?

Data Handling Practices

• Encryption: Is data encrypted at rest and in transit? What algorithms are used?
• Access controls: How is access to your data managed? Is it role-based with least privilege?
• Data location: Where is data stored geographically? Does this comply with your data residency requirements?
• Sub-processors: Does the vendor use sub-processors? Who are they?
• Data return/deletion: What happens to your data when the relationship ends?

Incident Response Capabilities

• Does the vendor have a documented incident response plan?
• What is the notification timeline for security incidents affecting your data?
• Will the vendor provide forensic analysis and root cause reporting?

Financial Stability

A vendor that goes bankrupt may be unable to maintain security controls or facilitate orderly data return. Assess financial health through public filings, credit reports, or financial statements provided under NDA.

Red Flags

• Vendor refuses to share security documentation under NDA
• No independent security certifications
• No penetration testing or testing older than 2 years
• No documented incident response plan
• Data stored in jurisdictions without adequate data protection

Jerisaliant's TPRM module includes pre-contract assessment templates, automated evidence collection, and risk scoring that summarizes vendor readiness before contract execution.