CIS Controls 15.1: Service Provider Inventory & Management
Your organization depends on external service providers—but do you know who they all are, what they access, and who owns each relationship? CIS Controls 15.1 requires you to build and maintain a comprehensive service provider inventory with clear ownership and classifications. This foundational control prevents shadow IT, reduces breach risk, and ensures accountability across your vendor ecosystem.
What this means
CIS 15.1 requires establishing a complete inventory of all service providers your organization uses. This inventory must classify each provider (by criticality, function, or risk level), identify a designated enterprise contact responsible for the relationship, and be reviewed and updated at least annually or whenever significant organizational changes occur. The goal is visibility and accountability—knowing exactly who has access to your systems and data.
How to comply
- 1.Conduct a comprehensive discovery to identify all service providers across departments, including cloud providers, SaaS vendors, consultants, managed service providers, and IT support contractors.
- 2.Create a centralized inventory spreadsheet or database with columns for provider name, service category, classification level, designated contact, contract renewal date, and access scope.
- 3.Classify each provider by risk or criticality—for example, critical (core business functions), important (significant access), or standard (limited exposure).
- 4.Assign a primary enterprise contact for each provider relationship to ensure accountability and clear communication.
- 5.Document the scope of access and services each provider has, including systems, data types, and integration points.
- 6.Schedule annual reviews of the inventory and conduct interim updates whenever you onboard new providers, terminate relationships, or undergo organizational restructuring.
- 7.Communicate the inventory process to department heads and procurement to ensure new vendors are added immediately upon engagement.
- 8.Establish a sunset policy for unused or redundant service providers to keep the inventory current.
Evidence auditors look for
- Documented service provider inventory with complete listing of all vendors and contractors
- Classification scheme applied to each provider (e.g., critical, important, standard)
- Designated contact names and contact information for each service provider relationship
- Annual inventory review records with sign-off from management
- Update log showing additions, deletions, and changes to the inventory throughout the year
- Procurement process documentation showing how new vendors are added to the inventory
- Service provider contracts and statements of work referencing access scope and data handling
- Risk assessment documentation justifying classification levels for critical providers
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates service provider inventory discovery and updates across your organization, tracking provider classifications, contacts, and change history in one searchable location—eliminating spreadsheet chaos and ensuring your inventory stays audit-ready year-round.
See how GRCWatch handles this control automatically
Start free trial