GRCWatch
Sign inStart free trial

CIS Control 15.2: Establish and Maintain a Service Provider Management Policy

Your service providers are extensions of your security posture. CIS Control 15.2 requires a documented, comprehensive policy that covers the entire lifecycle of vendor relationships—from initial classification through secure offboarding. Without this foundation, you risk compliance gaps and security blind spots across your supply chain.

What this means

Service Provider Management Policy (CIS 15.2) requires organizations to create and maintain a formal policy that governs how third-party service providers are managed throughout their engagement lifecycle. The policy must address five core areas: classifying providers by risk level, maintaining an accurate inventory of all active vendors, conducting regular assessments of their security controls, continuously monitoring their compliance posture, and executing a structured decommissioning process when relationships end. Organizations must review and update this policy at least annually, or immediately when significant business changes occur that could affect vendor management requirements.

How to comply

  1. 1.Develop a written service provider management policy that defines roles, responsibilities, and governance structures for vendor oversight
  2. 2.Create a classification framework that categorizes service providers by risk level (critical, high, medium, low) based on data access and business impact
  3. 3.Establish and maintain a centralized inventory of all active service providers, including contract dates, scope of access, and data classification levels
  4. 4.Define assessment requirements for each provider category, including initial security audits, SOC 2 reviews, or vendor questionnaires
  5. 5.Implement continuous monitoring procedures to track provider compliance, security incidents, and control effectiveness throughout the engagement
  6. 6.Create a structured decommissioning process that includes data retrieval, access revocation, and contract closure documentation
  7. 7.Document annual policy reviews with evidence of updates, sign-offs, and communication to stakeholders

Evidence auditors look for

  • Formal service provider management policy document with clear definitions and procedures
  • Service provider classification matrix showing risk categories and assessment requirements
  • Current, complete inventory spreadsheet or database listing all vendors with contract dates and data access levels
  • Assessment records including SOC 2 Type II reports, security questionnaires, or audit documentation
  • Monitoring logs showing periodic review of provider compliance and incident reports
  • Decommissioning checklists signed off for terminated vendors with data removal confirmation
  • Annual policy review documentation with update log and distribution records

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates your service provider inventory tracking and assessment scheduling, eliminating spreadsheet chaos while centralizing monitoring records and decommissioning checklists in one audit-ready platform.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS Control 15.1 — Establish a Secure Supply Chain ProcessCIS Control 15.3 — Securely Extend Asset Management Program to Service ProvidersCIS Control 6.1 — Establish an Incident Response Process