What is vendor assessment program?

A vendor assessment program is an organization’s process of reviewing vendor security practices in order to ensure information is properly protected. The program will create vendor security requirements and evaluate vendor security by requesting vendor third-party security reports (such as SOC 2 or ISO 27001).

If a vendor does not yet have any security reports, an organization may ask the vendor to fill out a vendor risk assessment to better understand a vendor’s information security practices, such as access control, asset management, cryptography, and more.