Owner: CISO
Effective Date: May 8, 2026
Reviewed: Annually
Frameworks: SOC 2 CC9.2 (vendor risk management); ISO/IEC 27001 A.5.19–A.5.22. Implements the Third-Party Management Policy.
The operational procedure that implements the Third-Party Management Policy.

When to run an assessment

A vendor risk assessment is required before:
  • Sharing or transmitting Confidential data to a third party.
  • Granting a third party access to Neuroscale production systems or networks.
  • Entering into a contract that involves processing customer data.
For low-risk vendors (no Confidential data, no production access, public information only), a lightweight review is sufficient.

Process

  1. Intake. Requestor opens a vendor request via the Vendor Risk Assessment intake form. Captures: vendor name, purpose, data accessed, integrations, contract value.
  2. Tiering. Security tiers the vendor — High / Medium / Low — based on data sensitivity and integration depth.
  3. Diligence.
    • High — full questionnaire (SIG Lite or equivalent), SOC 2 / ISO 27001 review, data-processing addendum (DPA), penetration-test summary if available.
    • Medium — SOC 2 review, DPA where personal data is involved.
    • Low — review of public trust page; minimal documentation.
  4. Approval. the CISO and CFO approve before contract signature.
  5. Onboarding. IT provisions integration; vendor is added to the Vendor Inventory.
  6. Re-review. High-tier vendors are re-reviewed annually; medium-tier every 2 years.

Annual re-review — evidence format

The annual re-review for High-tier (and 2-yearly re-review for Medium-tier) vendors produces a structured Vendor Annual Review Note committed to the SharePoint vendor-evidence folder for that vendor and linked from the vendor’s row in the Vendor Inventory. At minimum the note records:
ElementWhat goes here
As-of dateDate the review was completed.
ReviewerName and role (CISO for High-tier; designated reviewer for Medium-tier).
Vendor + service descriptionOne-line refresh — confirm the vendor’s stated service still matches Neuroscale’s use, and that Neuroscale’s use has not expanded into a higher tier since onboarding.
Refreshed attestationDate and version of the latest SOC 2 Type II report (or ISO/IEC 27001 certificate, or ISO/IEC 27701 / 27017 / 27018 as applicable). For SOC 2: bridge letter accepted only if the gap is ≤90 days and the next report is in scope. If no refreshed attestation is available, document the alternative (security questionnaire response, customer audit right exercised, executive memo).
Sub-processor reconciliationDiff between Neuroscale’s last-recorded sub-processor list for this vendor and the vendor’s current sub-processor list. New sub-processors are flagged for GC review against the Data Management Policy and the customer-facing subprocessor list.
Material changesOwnership, breach, regulator action, change of control, exit from a market, change of data-residency offering, change to standard contract terms — anything in the trailing 12 months that could change Neuroscale’s risk posture.
Open security questionnaire itemsItems that the vendor did not answer or that warrant follow-up; tracked in Linear.
Financial-health checkFor business-critical vendors (those in the RTO/RPO Matrix or named in the Business Continuity & DR Policy as a single point of failure): a brief note on funding, ownership, and any going-concern signal. For non-critical vendors, this is “N/A — non-critical.”
Incident historyAny vendor-side incident in the trailing 12 months that affected Neuroscale data, with link to the corresponding Neuroscale incident record where applicable.
Contract / commercial statusDPA / MSA still on terms; renewal date; any contract-clause change requested or accepted in the period.
Penetration-test summaryVendor’s latest pen-test summary or attestation, if provided. Where not provided, document the alternative reliance (SOC 2 narrative coverage of pen-testing, customer audit right).
Personnel-screening relianceWhere the vendor’s personnel touch Neuroscale data or systems under sub-category 3 (vendor-employed personnel with temporary access) of Background Checks → Contractor and third-party screening, confirm the vendor’s SOC 2 / ISO 27001 narrative still covers personnel screening at a level consistent with Neuroscale’s tier requirements. Where the vendor provides a reliance letter for named individuals (sub-category 2 / 4 pattern), confirm the letter is current and retained in this entry.
Tier confirmation or changeConfirm the existing tier is still appropriate, or upgrade / downgrade with rationale.
Conclusion”Continue without changes” / “Continue with action items” / “Re-tier” / “Wind down”.
Sign-offCISO for High-tier; designated reviewer + CISO acknowledgement for Medium-tier.
The note is committed within 30 days of the annual due date in the vendor’s row in the Vendor Inventory. Overdue annual reviews are escalated at the next ISMS Management Review.

Documentation kept on file

  • Signed agreement (MSA / DPA / SOW).
  • Latest SOC 2 / ISO 27001 / equivalent attestation.
  • Completed security questionnaire.
  • Tier rationale and approval.
  • Vendor Annual Review Note for each completed annual / 2-yearly re-review (structure above).

Vendor inventory

The current vendor inventory lives at the Vendor Inventory page (mirrored to Vanta for continuous monitoring).

Version history

VersionDateDescriptionAuthorApproved by
1.0May 8, 2026Initial versionCameron WolfeIshan Jadhwani