15.5: Assess Service Providers
Control is new to this version of the control set.
Assess service providers consistent with the enterprise’s service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts.
[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]