top of page
AdobeStock_69523090.jpeg

How to

Establish and Maintain an Inventory of Service Providers

- SafeGuard 15.1

Here's a step-by-step guide to establishing and maintaining an inventory of service providers as per the requirements in CIS Control 15 - Service Provider Management, Implementation Group 1 (IG1):

 

Step 1: Identify Relevant Service Providers:

  1. Identify all the service providers that your organization relies on for various services. These could include cloud providers, IT vendors, software-as-a-service (SaaS) providers, consultants, and any third parties that have access to your systems or data.

 

Step 2: Create a Comprehensive Inventory:

  1. Develop a central inventory system where you will document information about each service provider. This could be a spreadsheet, a database, or a specialized vendor management tool.

 

Step 3: Gather Information:

  1. For each service provider, gather the following information:

    • Name and legal entity​

    • Type of service provided (e.g., cloud hosting, managed IT services, data processing)

    • Classification of service provider (e.g., critical, non-critical)

    • Point of contact details (name, email, phone) within the service provider organization

ioioioi

Step 4: Classification of Service Providers:

  1. Classify each service provider based on their importance and potential impact on your organization's operations and data. For example, you could classify them as critical, high, medium, or low impact.

 

Step 5: Designate Enterprise Contacts:

  1. Assign an enterprise contact for each service provider. This individual will be the liaison between your organization and the service provider in case of incidents or communications.

This inventory will be a valuable resource for incident response and communication efforts.

Step 6: Document in the Inventory:

  1. Document all gathered information for each service provider in the inventory system. Include classification, point of contact details, and any special considerations.

 

Step 7: Review and Update Annually:

  1. Schedule an annual review of the inventory to ensure that all information is accurate and up-to-date.

  2. Review the inventory whenever significant changes occur within your organization or with service providers that could impact incident response.

 

Step 8: Integration with Incident Response Plan:

  1. Integrate the information from the inventory into your incident response plan. This helps streamline communication during incidents involving service providers.

 

Step 9: Communication and Notification Process:

  1. Define the process for notifying service providers in case of security incidents. Specify who within your organization is responsible for notifying the respective service provider contact.

Step 10: Testing and Drills:

  1. Conduct periodic drills or simulations to test the effectiveness of your communication process with service providers during incidents.

Step 11: Documentation and Record Keeping:

  1. Maintain records of all interactions and communications with service providers regarding incidents. This documentation is useful for post-incident analysis and compliance reporting.

 

Step 12: Continuous Improvement:

  1. Regularly update the inventory as new service providers are onboarded or existing ones change their services. This ensures that you have an accurate and current list at all times.

By following these steps, you'll establish a comprehensive inventory of service providers and their associated contacts, aligning with the requirements of CIS18 Controls. This inventory will be a valuable resource for incident response and communication efforts.

bottom of page