Monitoring External Parties

Monitoring External Parties

Signing a strong contract is necessary but not sufficient. CISM treats third-party assurance as a lifecycle, and the most-missed idea is that risk does not stop at onboarding. A vendor that was secure at signing can degrade — change owners, move data offshore, drop a certification, or get breached. Continuous monitoring, proportional to the vendor's risk tier, is the management answer.

Risk-tier your vendors

You cannot monitor every supplier equally; effort must follow risk, not headcount. Tier by the sensitivity of data accessed and the criticality of the service:

Reading independent attestations

CISM expects you to know what assurance artifacts actually prove:

• A SOC 2 Type II report (AICPA Trust Services Criteria) tests whether controls operated effectively over a period — typically 6 to 12 months. This is the strongest routine evidence.
• A SOC 2 Type I report is only a point-in-time opinion on control design; it does not prove the controls worked.
• An ISO/IEC 27001 certificate shows a certified Information Security Management System but is not a controls-testing report.
• A SOC 1 report concerns financial-reporting controls, not security — a frequent distractor.

When a report shows a qualified opinion or a relevant exception, the CISM action is to map that exception to your risk and require a remediation plan, not to accept the certificate at face value.

Metrics that reach the board

Management monitors with Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs), reporting exceptions rather than raw data:

• Percentage of Tier 1 vendors with a current, clean SOC 2 Type II.
• Number of overdue vendor remediation items past SLA.
• Mean time to receive breach notification from vendors versus contractual maximum.
• Count of vendors using unapproved sub-processors.

Worked scenario

A critical vendor's annual SOC 2 Type II arrives with an exception in change management. A weak answer terminates the contract immediately or ignores the exception because the certificate exists. The CISM answer assesses the exception's relevance to the data the vendor handles, requires a time-bound remediation plan with evidence, and escalates only if the residual risk exceeds the enterprise's risk appetite.

Common traps

• Treating onboarding due diligence as the whole program (no continuous monitoring).
• Accepting a SOC 2 Type I or a SOC 1 as proof that security controls operate.
• Reporting raw vulnerability-scan counts to executives instead of risk-framed exceptions.
• Forgetting the exit phase: monitoring includes verifying data return/destruction when the relationship ends.

Concentration and fourth-party risk

Continuous monitoring must look beyond the direct vendor. Concentration risk arises when many critical services depend on the same provider or the same underlying infrastructure — if one cloud region or one payment processor fails, multiple business functions stop at once. The CISM tracks these dependencies so the board understands that diversification, not just per-vendor controls, may be the right treatment. Fourth-party risk is the same problem one level down: your vendor's vendors.

Monitoring includes confirming that approved sub-processors have not changed without notice and that breach notifications cascade up the chain to you within the contractual window.

Triggers for re-assessment

Monitoring is not only calendar-driven. A CISM defines event triggers that force an out-of-cycle review: a publicly reported breach at the vendor, a merger or acquisition, a change of data-hosting location, loss of a relied-upon certification, or a material change in the service scope. Treating monitoring as purely annual is a trap; a vendor breached in month three should not wait until month twelve for the next review.

Building the third-party inventory

None of this works without a complete, current third-party inventory that records each vendor, the data and systems they touch, their risk tier, the responsible business owner, and the assurance evidence on file. Shadow vendor relationships — services procured by business units without security review — are the blind spot that breaks the program, which is why discovery and a mandatory intake process are core monitoring controls, not optional paperwork.

The exam also expects you to distinguish assurance from enforcement. Monitoring tells you whether a vendor is meeting its obligations; the contract's right-to-audit, breach-notification, and termination clauses are what let you act when it is not. A program that detects a problem but lacks contractual leverage to compel remediation is incomplete, which is why monitoring and contracting are designed together.

When a question asks how a manager should respond to a monitoring finding, the strongest answer ties the technical observation to a contractual obligation, requires evidence-backed remediation within a defined window, and escalates to the accountable business owner and the risk committee if the residual risk breaches the enterprise's stated appetite rather than quietly accepting the gap or reacting only after an incident becomes public.