GRCWatch
Sign inStart free trial

CIS Control 15.7: Securely Decommission Service Providers

Service provider offboarding is a critical security gap most SMBs overlook. When contracts end, improper decommissioning leaves enterprise data exposed, credentials active, and third-party risks unmanaged. CIS Control 15.7 ensures your organization systematically removes access, data, and dependencies when service providers exit.

What this means

Secure decommissioning requires a structured process to eliminate all traces of a service provider's access to your systems and data. This includes verifying that enterprise data is completely removed from provider infrastructure, revoking all credentials and API keys tied to that provider, and documenting any subcontractors they used so you can address downstream risks. The goal is to reduce your attack surface and eliminate lingering access points after a vendor relationship ends.

How to comply

  1. 1.Create a service provider offboarding checklist that includes data removal verification, credential revocation, and subcontractor identification
  2. 2.Before contract termination, audit all systems where the service provider has data or access and document removal deadlines
  3. 3.Require the service provider to confirm in writing that all enterprise data has been securely deleted from their systems
  4. 4.Revoke or reset all authentication credentials, API keys, and service accounts associated with the provider across your infrastructure
  5. 5.Request notification from the service provider of any subcontractors they used and assess those relationships independently
  6. 6.Conduct a post-termination audit 30-60 days after offboarding to verify no residual access or data remains
  7. 7.Document the decommissioning process and store evidence of data deletion and credential revocation for compliance records

Evidence auditors look for

  • Service provider offboarding checklists with sign-off dates
  • Written confirmation from the provider that enterprise data was deleted
  • Credential revocation logs and access removal timestamps
  • Subcontractor notification letters and your assessment of downstream risks
  • Post-termination audit reports confirming no residual access
  • Data destruction certificates from service providers
  • Change logs showing removal of provider accounts from IAM systems

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates service provider offboarding workflows, tracks decommissioning checklists, documents credential revocation across your stack, and flags subcontractor dependencies so nothing falls through the cracks.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS Control 15.1 — Establish and Maintain an Inventory of Service ProvidersCIS Control 15.2 — Establish and Maintain a Data InventoryCIS Control 6.2 — Address Unauthorized Software