Hello ISC2 folks,
Need your help about something related to vendor categorization. I have a list of around 20 "critical" vendors and need to further filter them down based on their criticality (information security-wise). So I am struggling to outline the criteria that I need to use in order to be able to determine which of the vendors are more critical from infosec perspective. I plan to interview the managers and the SMEs involved for each vendor/service. Few of the components I am thinking include:
- The sensitivity of the company information that the vendor processes/stores.
- The amount of records/company information (Mb/Gb-wise?) that the vendor processes/stores.
- Whether and to what extend the company would suffer if the company information that the vendor processes/stores is compromised?
Please give me your ideas and let me know what other things could help me on the interviews so that I can get the best mechanism of determining which from the given 20 "critical" vendors are "more critical" 🙂