Owner: CISO
Effective Date: May 8, 2026
Reviewed: Annually
Frameworks: SOC 2 CC9.2 (vendor risk management); ISO/IEC 27001 A.5.19–A.5.22. Implements the Third-Party Management Policy.
Effective Date: May 8, 2026
Reviewed: Annually
Frameworks: SOC 2 CC9.2 (vendor risk management); ISO/IEC 27001 A.5.19–A.5.22. Implements the Third-Party Management Policy.
When to run an assessment
A vendor risk assessment is required before:- Sharing or transmitting Confidential data to a third party.
- Granting a third party access to Neuroscale production systems or networks.
- Entering into a contract that involves processing customer data.
Process
- Intake. Requestor opens a vendor request via the Vendor Risk Assessment intake form. Captures: vendor name, purpose, data accessed, integrations, contract value.
- Tiering. Security tiers the vendor — High / Medium / Low — based on data sensitivity and integration depth.
- Diligence.
- High — full questionnaire (SIG Lite or equivalent), SOC 2 / ISO 27001 review, data-processing addendum (DPA), penetration-test summary if available.
- Medium — SOC 2 review, DPA where personal data is involved.
- Low — review of public trust page; minimal documentation.
- Approval. the CISO and CFO approve before contract signature.
- Onboarding. IT provisions integration; vendor is added to the Vendor Inventory.
- Re-review. High-tier vendors are re-reviewed annually; medium-tier every 2 years.
Annual re-review — evidence format
The annual re-review for High-tier (and 2-yearly re-review for Medium-tier) vendors produces a structured Vendor Annual Review Note committed to the SharePoint vendor-evidence folder for that vendor and linked from the vendor’s row in the Vendor Inventory. At minimum the note records:| Element | What goes here |
|---|---|
| As-of date | Date the review was completed. |
| Reviewer | Name and role (CISO for High-tier; designated reviewer for Medium-tier). |
| Vendor + service description | One-line refresh — confirm the vendor’s stated service still matches Neuroscale’s use, and that Neuroscale’s use has not expanded into a higher tier since onboarding. |
| Refreshed attestation | Date and version of the latest SOC 2 Type II report (or ISO/IEC 27001 certificate, or ISO/IEC 27701 / 27017 / 27018 as applicable). For SOC 2: bridge letter accepted only if the gap is ≤90 days and the next report is in scope. If no refreshed attestation is available, document the alternative (security questionnaire response, customer audit right exercised, executive memo). |
| Sub-processor reconciliation | Diff between Neuroscale’s last-recorded sub-processor list for this vendor and the vendor’s current sub-processor list. New sub-processors are flagged for GC review against the Data Management Policy and the customer-facing subprocessor list. |
| Material changes | Ownership, breach, regulator action, change of control, exit from a market, change of data-residency offering, change to standard contract terms — anything in the trailing 12 months that could change Neuroscale’s risk posture. |
| Open security questionnaire items | Items that the vendor did not answer or that warrant follow-up; tracked in Linear. |
| Financial-health check | For business-critical vendors (those in the RTO/RPO Matrix or named in the Business Continuity & DR Policy as a single point of failure): a brief note on funding, ownership, and any going-concern signal. For non-critical vendors, this is “N/A — non-critical.” |
| Incident history | Any vendor-side incident in the trailing 12 months that affected Neuroscale data, with link to the corresponding Neuroscale incident record where applicable. |
| Contract / commercial status | DPA / MSA still on terms; renewal date; any contract-clause change requested or accepted in the period. |
| Penetration-test summary | Vendor’s latest pen-test summary or attestation, if provided. Where not provided, document the alternative reliance (SOC 2 narrative coverage of pen-testing, customer audit right). |
| Personnel-screening reliance | Where the vendor’s personnel touch Neuroscale data or systems under sub-category 3 (vendor-employed personnel with temporary access) of Background Checks → Contractor and third-party screening, confirm the vendor’s SOC 2 / ISO 27001 narrative still covers personnel screening at a level consistent with Neuroscale’s tier requirements. Where the vendor provides a reliance letter for named individuals (sub-category 2 / 4 pattern), confirm the letter is current and retained in this entry. |
| Tier confirmation or change | Confirm the existing tier is still appropriate, or upgrade / downgrade with rationale. |
| Conclusion | ”Continue without changes” / “Continue with action items” / “Re-tier” / “Wind down”. |
| Sign-off | CISO for High-tier; designated reviewer + CISO acknowledgement for Medium-tier. |
Documentation kept on file
- Signed agreement (MSA / DPA / SOW).
- Latest SOC 2 / ISO 27001 / equivalent attestation.
- Completed security questionnaire.
- Tier rationale and approval.
- Vendor Annual Review Note for each completed annual / 2-yearly re-review (structure above).
Vendor inventory
The current vendor inventory lives at the Vendor Inventory page (mirrored to Vanta for continuous monitoring).Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |