Vendor Risk Assessment

A risk assessment of a vendor is a common procurement/compliance exercise that CAUDIT members typically undertake individually. Risk assessments are being requested:

• to enable institutions to assess the risks of vendor offerings and solutions, protecting CAUDIT members, institutions and vendors.
• to provide efficiencies for institutions and vendors through one third party risk assessment administered and maintained by AHECS, through CAUDIT.
• to provide an external view and validation of the assessment

Is there a cost for this risk assessment?

There is a $1,000 AUD ex GST annual cost to vendors providing or renewing an offer to CAUDIT members, covering the administration and validation of the assessment.

What sort of information should a vendor supply?

1. To provide an initial risk assessment a vendor should supply any relevant certifications and accreditations (including IRAP, ISO 27001, DISP and NIST). Reference to a vendor's risk assessments, processes and documentation will also assist.
   Any documentation provided is securely stored and made available through authenticated access to CAUDIT members only.
2. Confirmation of an appropriate individual (name and email address) to receive and complete a risk assessment for the vendor.

How is the risk assessment delivered?

The risk assessment will be sent from the email address support@alyne.com to the individual that the vendor previously nominated. That email will contain a unique link to complete a number of questions online and upload supporting evidence/documents.
Once the individual has created an account to access the risk assessment questions they will have access to the online user guide - we would recommend reading through the section on Responding to an Assessment and utilising the Delegation feature.