Walk me through how you assess and manage third-party (vendor) risk.
Short answer
Treat vendor risk as a lifecycle, not a one-off questionnaire. Inventory your third parties and tier them by criticality and data sensitivity. Run due diligence proportional to tier — review SOC 2 / ISO 27001 reports, security questionnaires, pen-test summaries, and the data and access involved. Bake controls into the contract (security requirements, right to audit, breach notification, data handling, subprocessors). Then monitor continuously, not just at onboarding, and have a clean offboarding process to revoke access and recover or destroy data. Fourth-party (subprocessor) risk matters too.
Most breaches now have a supply-chain angle, so vendor risk management is a core GRC competency. Interviewers ask this to see whether you treat it as a living program or a once-a-year paperwork exercise.
Tier by criticality
You cannot assess every vendor with equal depth. Start with an inventory, then tier vendors by what they touch: the sensitivity of data, the access they hold, and how critical they are to operations. A payroll processor handling PII is not the same risk as a stock-photo subscription.
Proportional due diligence
Scale the rigour to the tier. For high-tier vendors, review independent assurance — SOC 2 Type II or ISO 27001 certificates, penetration-test summaries, security questionnaires (SIG/CAIQ), and their breach history. Look at the actual data flow and integration, not just the brochure.
Contract for security
The contract is where risk gets enforced. Insist on security requirements, breach notification timelines, data handling and residency, a right to audit, and visibility into subprocessors (fourth parties).
Monitor continuously
Risk doesn't freeze at onboarding. Use continuous monitoring — security ratings, breach alerts, certificate expiry, periodic reassessment — so you catch degradation between annual reviews.
Offboard cleanly
When the relationship ends, revoke access, recover or confirm destruction of data, and close out integrations. Lingering vendor access is a classic forgotten attack path.
Why this matters
A strong answer frames vendor risk as a full lifecycle and mentions fourth-party risk. That signals you understand that signing a SOC 2 PDF once is not a program.
Likely follow-ups
- How do you handle fourth-party (subprocessor) risk in a vendor's supply chain?
- What contractual clauses do you insist on for a vendor that processes sensitive data?
- How do you keep monitoring meaningful between annual reassessments?