11 Questions to Include in Your IT Vendor Due Diligence


Outsourcing vector art
Outsourced IT is nothing new, but as Verizon Wireless’s recent report "Better Outcomes for IT Outsourcing" points out, digital transformation is changing the face of outsourcing. Customers want flexible service delivery models, ways to improve inefficient processes and spending models based on opex versus capex.

But with the rise of cybersecurity issues, tightly wound supply chains and customer expectations for always-on service, you need to make sure that any vendor with access to your data and systems is fully vetted.

Before you involve any third party in your IT processes, make sure you know the answers to these questions:

  • Has the vendor undergone a compliance audit such as the SOC 2 Type II? How often are audits performed?
  • Does the vendor's services and certifications align with your organization's service level agreements (SLAs), business impact analysis recovery objectives and industry-specific compliance requirements?
  • What performance objectives, remediation procedures and exit provisions are included in the vendor's SLAs?
  • What is the vendor's business continuity and disaster recovery (BC/DR) strategy?
  • What BC/DR test practices does the vendor follow? When was the last test?
  • What tools and industries do the vendor's staff members have experience with?
  • Where is data stored and how long is it retained?
  • Are data center engineers certified and experienced?
  • Do employees receive routine background checks?
  • What access control methods does the vendor use?
  • Has the vendor ever experienced a data breach? If so, how did the company handle it?

Depending on your industry and the type of solution you’re looking for, you’ll likely have a few questions to add to this list. But by being informed about these 11 key areas and making sure the vendor’s answers align with your business’s needs, you can help ensure a better outcome for your outsourced IT functions.

For examples of vendor evaluation guidelines specific to a unique industry or technology service, check out our post "FFIEC Update: Ensuring Resiliency of Outsourced Technology Services" and download our vendor evaluation guide.

Popular Posts