Vendors Inventory and Attributes - Security attributes for the Vendors Inventory

Vendors Inventory and Attributes

Chapter 18. Security attributes for the Vendors Inventory

Security attributes capture the security certifications and assessment history that govern the vendor’s security posture and the enterprise’s ongoing security due diligence obligations.

Attribute NameMaturityDescription and Notes

Security Certifications

[Multi-Value]

Walk

Description — The current, valid security and compliance certifications held by this vendor.

Benefit(s) — Provides objective third-party validation of the vendor’s security posture. Certifications are the primary evidence artifact for vendor security governance in regulatory frameworks including GDPR, HIPAA, and DORA.

Source — Manual.

Examples — SOC 2 Type II; ISO 27001; PCI DSS Level 1; FedRAMP Moderate; HITRUST CSF; CSA STAR Level 2

Notes — Separate multiple values with semicolons. Record the certification name and validity year where known (e.g., SOC 2 Type II (2025)). Certifications should be verified annually — expired certifications are not governance evidence.

Last Security Assessment DateWalk

Description — The date on which the enterprise most recently completed a security assessment, questionnaire, or independent audit of this vendor.

Benefit(s) — Enables identification of vendors with stale security assessments. For Tier 1 and Tier 2 vendors, security assessments older than 12 months represent a governance gap.

Source — Manual.

Examples — 2026-03-15, 2025-11-30

Notes — Assessment cadence should align with Vendor Tier: Tier 1 quarterly, Tier 2 semi-annual, Tier 3 annual, Tier 4 on onboarding only unless material change occurs.

Copyright for the International Foundation for Information Technology (IF4IT): 2008 - Present

Legal Disclaimers
Share:
Contact Us → Subscribe →