Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In CIS Hardened Images CIS Hardened Images Support CIS Support


Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world

About Us Leadership Principles Testimonials


secure your organization
Secure Your Organization

secure specific platforms
Secure Specific Platforms

cis securesuite CIS SecureSuite® Learn More      Apply Now  
u s state local tribal and territorial governments
U.S. State, Local, Tribal & Territorial Governments

View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities

CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers




filter by topic
Filter by Topic

View All Resources  
CIS Logo Show Search Expand Menu

Global retailer uses the CIS Controls for Vendor Assessments

A global retail corporation that operates a chain of hypermarkets uses the CIS Controls™.

The retailer needed to quickly get up to speed and gather some understanding of the cybersecurity posture of new vendors who required access to sensitive data. They began using the CIS Controls within a self-assessment questionnaire completed by vendors. The retailer’s information security team analyzed the vendor responses to the questionnaire. The team then scored the impact and likelihood of the results and discussed the results with the company’s vendor management office and internal business teams.

Current Vendor Assessment Framework

In addition to assessments of new vendors, the team developed a robust six-stage vendor assessment process for existing vendors based on the ISO/IEC 27002:2013 standard, which also uses the CIS Controls. The more extensive process to assess the vendor’s information security program is necessary to ensure that the vendor is capable of protecting the retailer’s sensitive data. Along with questionnaire assessments, the retailer conducts onsite assessments using its own internal assessors. The assessors have many years of experience in auditing and information security and are trained to review and analyze controls, create reports, request remediation actions, and follow up as needed before the vendor is eligible to receive the data. Vendors are required to provide evidence of compliance with security controls and participate when the team visits their site. The team bases re-assessment timeframes based on the vendor’s level of risk to ensure continued compliance by the vendor.

Commitment to Cybersecurity

Interestingly, the retailer also uses the same methodology to review and assess its own markets globally. Annual visits to each market ensure that the market is continually improving its information security posture. Both the ISO and CIS Controls are an important part of this effort.