
Vendor Compliance Program
The ISG-VCP Managed Program offers a systematic and uniform method for establishing an Information Security Vendor Compliance Program (VCP). This program features a detailed Concept of Operations (CONOPS), which sets forth clear protocols to periodically validate that vendors comply with the Minimum-Security Requirements (MSR) formulated and instituted by the ISG-VCP Managed Program. These requirements are tailored to align with your organization’s specific security policies and standards, taking into account all pertinent legal and regulatory requirements.
Validate the Security Posture of your Vendors

Vendor Security Compliance Certification
Following internal due diligence, the ISG-VCP team conducts an in-depth security assessment against a scoped baseline of Minimum-security Requirements. Additionally, the ISG-VCP team checks for any past security incidents, evaluates their reputation within the industry, and archives evidence of compliance with key controls, such as penetration tests, policies & standards, vulnerability & patching, and periodic access reviews.
Contract Review & Negotiation
The ISG-VCP team will sometimes require that Vendors include clauses in service agreements and request for proposals requiring vendors to maintain a high level of security, notify Transit of any breaches, and allow for regular security assessments.


Procurement Risk Review
Prior to evaluating vendors for adherence to established policies and standards, a comprehensive review of the solutions is conducted to confirm their suitability and effectiveness. This approach is akin to the “Secure-by-Design” principle, which mandates the integration of security measures right from the stage of specifying requirements.
Vendor Offboarding
The offboarding process is a critical step in maintaining a secure information environment. It involves securely and systematically removing a vendor’s access to organizational systems and data when their services are no longer required, or their contract has ended. This process includes revoking credentials, ensuring the return or secure disposal of any organizational assets, and conducting a thorough security review to ensure that no remaining security risks exist. It is important to ensure that former vendors cannot access sensitive information or systems. The offboarding process may also involve transferring services or functions to another vendor or bringing them back in-house. Planning and executing this process carefully is essential for a successful transition.
