Global retailer uses the CIS Controls for Vendor Assessments

A global retail corporation that operates a chain of hypermarkets uses the CIS Controls™.

The retailer needed to quickly get up to speed and gather some understanding of the cybersecurity posture of new vendors who required access to sensitive data. They began using the CIS Controls within a self-assessment questionnaire completed by vendors. The retailer’s information security team analyzed the vendor responses to the questionnaire. The team then scored the impact and likelihood of the results and discussed the results with the company’s vendor management office and internal business teams.

Current Vendor Assessment Framework

In addition to assessments of new vendors, the team developed a robust six-stage vendor assessment process for existing vendors based on the ISO/IEC 27002:2013 standard, which also uses the CIS Controls. The more extensive process to assess the vendor’s information security program is necessary to ensure that the vendor is capable of protecting the retailer’s sensitive data. Along with questionnaire assessments, the retailer conducts onsite assessments using its own internal assessors. The assessors have many years of experience in auditing and information security and are trained to review and analyze controls, create reports, request remediation actions, and follow up as needed before the vendor is eligible to receive the data. Vendors are required to provide evidence of compliance with security controls and participate when the team visits their site. The team bases re-assessment timeframes based on the vendor’s level of risk to ensure continued compliance by the vendor.

Commitment to Cybersecurity

Interestingly, the retailer also uses the same methodology to review and assess its own markets globally. Annual visits to each market ensure that the market is continually improving its information security posture. Both the ISO and CIS Controls are an important part of this effort.