Artifacts represent third party risk management documentation requested from the third party being assessed. Artifacts measure the following types of vendor risk:
Audits
- Application Scan (App Scan)
- Audited Financial Statements
- Compliance Guide
- General Security Audit
- MDS2
- Network Vulnerability Scan
- Penetration Test (Pen Test)
- Standard Due Diligence Packet
- Unaudited Financial Statements
Certifications
- AirCyber
- Cyber Essentials
- Cyber Essentials Plus
- Criminal Justice Information Services (CJIS)
- Cloud Computing Compliance Controls Catalog (C5)
- CREST
- CSA Star Level 1
- CSA Star Certification
- DoD Information Assurance Certification and Accreditation Process (DIACAP)
- Department of Defense (DoD) Cloud Security Model (SRG)
- ENS (Spain Esquema Nacional de Seguridad)
- EU-US Privacy Shield
- Federal Risk and Authorization Management Program (FedRAMP)
- Family Educational Rights and Privacy Act (FERPA)
- Federal Information Processing Standard (FIPS) 140-2
- Federal Information Security Management Act (FISMA)
- GxP
- Health Insurance Portability and Accountability Act (HIPAA)
- HITRUST CSF
- Information Security Registered Assessors Program (IRAP)
- ISA/IEC 62443
- Information system Security Management and Assessment Program (ISMAP), Japan
- ISO 14001:2015
- ISO 27017
- ISO 27032:2021
- ISO/IEC 27701:2019
- ISO 13485
- ISO 20000
- ISO 22301
- ISO 27001
- ISO 27018
- ISO 9001
- ISO/IEC 42001:2023
- US International Trac in Arms Regulations (ITAR)
- IT - Grundschutz
- Motion Picture Association of America (MPAA)
- Multi-Tier Cloud Security (MTCS)
- NAID AAA Certification
- National Institute of Standards and Technology (NIST)
- Payment Card Industry Data Security Standard (PCI DSS)
- SOC-1 / ISAE 3402 - Type I
- SOC-1 / ISAE 3402 - Type II
- SOC-2 - Type I
- SOC-2 - Type II
- SOC-3
- Swiss-US Privacy Shield
- TrustArc Privacy Certification
Insurance
- Business Automobile Liability
- Business Interruption
- Commercial Crime Insurance
- Commercial General Liability
- Cyber Liability / Data Privacy
- Directors and Officers Insurance
- Errors and Omissions Liability
- Fidelity Bond
- Statutory Workers Compensation
Questionnaires
- AWS Questionnaire
- -
- CAIQ Lite v3.0.1
- -
- CAIQ v3.0.1
- -
- CAIQ v3.1
- -
- CAIQ v4
- -
- CAIQ v4 - Japan Regional Translation
- -
- CAIQ v4 - SSRM Control
- -
- CIS - Critical Security Controls V6
- -
- CIS - Security Controls V7
- -
- CIS - Security Controls V8
- -
- CMMC Level 1, 2, 3 Assessment
- -
- Essential 8 Maturity Level 1, 2, 3
- The Essential Eight was designed by Australian Signals Directorate (ASD) to protect organizations’ internet-connected information technology networks. Assessments against the Essential Eight are conducted using the Essential Eight Maturity Model. This maturity model describes three target maturity levels (Maturity Level 1 to 3) which are based on mitigating increasing levels of tradecraft and targeting.
- Google MVSP 2.0
- -
- HECVAT Full v2.11
- -
- HECVAT Lite 3.06
- A streamlined version of the Higher Education Community Vendor Assessment Toolkit (HECVAT) developed by EDUCAUSE. It is designed to help higher education institutions evaluate the security and privacy practices of third-party vendors. The Lite version focuses on core security and privacy questions, making it quicker and easier for vendors to complete and for institutions to assess. It aims to ensure that vendors meet essential security standards, thereby helping institutions protect sensitive data and comply with relevant regulations.
- ISO 27001:2022
- An internationally recognized standard for information security management systems (ISMS). This standard provides guidance for organizations of any size and sector to manage risks related to the security of data, ensuring that best practices and principles are followed. ISO 27001 is crucial for helping organizations become risk-aware, identify and address vulnerabilities proactively, and maintain cyber-resilience and operational excellence in the face of rising cyber threats.
- ISO27001 OPTIV
- -
- Log4j Vulnerability Impact Questionnaire
- -
- LS-ISAO MSR Assessment Questionnaire
- -
- NATF Energy Sector Supply Chain Risk
- The NATF Energy Sector Supply Chain Risk Assessment V.5 is designed to identify, assess, and mitigate risks within the supply chain of the energy sector. It evaluates supplier vulnerabilities, cybersecurity, and compliance with industry standards, aiming to enhance the stability and resilience of the energy infrastructure.
- NIS2 CyberFundamentals - Assurance Level Basic, Important, Essential
- The NIS2 CyberFundamentals assessment is built around The CyFun® framework, developed by the Centre for Cybersecurity Belgium to align with the NIS2 directive. It aims to protect data and reduce the risk of common cyber-attacks by leveraging well-established standards such as NIST, ISO 27001, and CIS Controls, and historical threat data. Depending on the assurance level - Basic, Important, or Essential - a tailored assessment is provided to ensure appropriate cybersecurity measures.
- NIST CSF 2.0
-
The National Institute of Standards and Technology (NIST) has updated the widely used Cybersecurity Framework (CSF) and released the NIST CSF 2.0 to help all organizations achieve their cybersecurity goals, with added emphasis on governance and supply chains.
The 2.0 edition is designed for all audiences, industry sectors and organization types, from the smallest schools and nonprofits to the largest agencies and corporations — regardless of their degree of cybersecurity sophistication.
- OPTIV CCPA Readiness Assessment
- -
- OPTIV GDPR Compliance
- -
- OPTIV NIST CSF
- -
- OPTIV Pandemic Readiness 2020
- -
- OWASP Top 10 Application Security Risks 2017
- -
- OWASP Top 10 Application Security Risks 2021
- -
- BITS SIG Core 2020
- -
- BITS SIG Lite 2020
- -
- SIG Core 2021-2024
- -
- SIG Core 2023-2025
- The Shared Assessments Standardized Information Gathering (SIG) Core 2025 questionnaire is designed to evaluate third parties that store or manage highly sensitive or regulated information, such as payment card data or genetic information. It provides a deeper understanding of how a third-party secures its information and services. The 2025 version includes 755 questions.
- SIG Lite 2021-2024
- -
- SIG Lite 2023-2025
- The Shared Assessments Standardized Information Gathering (SIG) Lite 2025 Questionnaire is designed to provide a broad, but high-level understanding of a third party’s internal information security controls. The SIG Lite is for organizations that need a basic level of assessment due diligence. It can also be used as a preliminary assessment before a more detailed review. The 2025 version includes 128 questions.
- January 23, 2025: Added AirCyber and ISO/IEC 42001:2023 certifications, SIG Lite 2023-2025 and SIG Core 2023-2025 questionnaires.
- September 24, 2024: NIS2 CyberFundamentals added to questionnaires.
- August 5, 2024: NATF Energy Sector Supply Chain Risk added to questionnaires.
Feedback
0 comments
Please sign in to leave a comment.