Global retailer uses the CIS Controls for Vendor Assessments

A global retail corporation that operates a chain of hypermarkets uses the CIS Controls, a set of prioritized actions that improve cybersecurity, to assess the security of prospective vendors.

The retailer needed to quickly get up to speed and gather some understanding of the cybersecurity posture of new vendors who required access to sensitive data. They began using the CIS Controls within a self-assessment questionnaire completed by vendors. The retailer’s information security team analyzed the vendor responses to the questionnaire. The team then scored the impact and likelihood of the results and discussed the results with the company’s vendor management office and internal business teams.

Current Vendor Assessment Framework

In addition to assessments of new vendors, the team developed a robust six-stage vendor assessment process for existing vendors based on the ISO/IEC 27002:2013 standard, which also uses the CIS Controls. The more extensive process to assess the vendor’s information security program is necessary to ensure that the vendor is capable of protecting the retailer’s sensitive data. Along with questionnaire assessments, the retailer conducts onsite assessments using its own internal assessors. The assessors have many years of experience in auditing and information security and are trained to review and analyze controls, create reports, request remediation actions, and follow up as needed before the vendor is eligible to receive the data. Vendors are required to provide evidence of compliance with security controls and participate when the team visits their site. The team bases re-assessment timeframes based on the vendor’s level of risk to ensure continued compliance by the vendor.

Commitment to Cybersecurity

Interestingly, the retailer also uses the same methodology to review and assess its own markets globally. Annual visits to each market ensure that the market is continually improving its information security posture. Both the ISO and CIS Controls are an important part of this effort.

About the Center for Internet Security

CIS is a forward-thinking, nonprofit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats. Our CIS Controls and CIS Benchmarks are the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continually refined and verified by a volunteer, global community of experienced IT professionals. CIS is home to the Multi-State Information Sharing and Analysis Center (MS-ISAC®), the go-to resource for cyber threat prevention, protection, response, and recovery for state, local, tribal and territorial government entities.