Vendor Risk Assessment

A risk assessment of a vendor is a common procurement/compliance exercise that CAUDIT members typically undertake individually. Risk assessments are being requested:

• to enable institutions to assess the risks of vendor offerings and solutions, protecting CAUDIT members, institutions and vendors.
• to provide efficiencies for institutions and vendors through one third party risk assessment administered and maintained by AHECS, through CAUDIT.
• to provide an external view and validation of the assessment

Is there a cost for this risk assessment?

There is no cost for the risk assessment to vendors providing or renewing an offer to CAUDIT members.

What sort of information should a vendor supply?

1. To provide an initial risk assessment a vendor should supply any relevant certifications and accreditations (including IRAP, ISO 27001, DISP and NIST). Reference to a vendor’s risk assessments, processes and documentation will also assist.
   Any documentation provided is securely stored and made available through authenticated access to CAUDIT members only.
2. Confirmation of an appropriate individual (name and email address) to receive and complete a risk assessment for the vendor.

How is the risk assessment delivered?

The risk assessment is a spreadsheet based tool that is available to download and complete.