Ongoing Vendor Monitoring

This article is educational content about ongoing vendor monitoring and is not professional compliance advice or legal counsel.

Vendor risk doesn't end when you sign the contract. That's actually when the real relationship begins. Vendors that looked good during due diligence can change. Their security posture can degrade. Their team can turn over. They can be breached. Their certifications can expire without renewal. A vendor you approved for engagement isn't automatically approved forever—they need to remain approved through monitoring and re-evaluation.

Without ongoing monitoring, you're making a decision to trust a vendor once and hoping they stay trustworthy for the duration of the relationship. With monitoring, you maintain active awareness of vendor risk and adjust your relationship as circumstances change. Monitoring detects when a vendor's practices degrade, when they're breached, when their certifications expire, or when other warning signs emerge. Detecting problems early, when they're still small, prevents the scenario where you discover a serious vendor problem only after it's already become your problem.

Monitoring Intensity Based on Vendor Importance

Ongoing monitoring approach depends on how critical the vendor is. Tier 1 critical vendors should be monitored at least annually, often more frequently—quarterly or semi-annually. Tier 2 important vendors should be monitored annually. Tier 3 lower-risk vendors might be monitored less frequently or only if circumstances change. The monitoring intensity should match the vendor's criticality because the higher the criticality, the more you need to stay aware of their status.

Monitoring activities might include periodic security questionnaire updates every year or two to check if the vendor's practices have changed, review of their published security practices or security advisories they've issued, monitoring for breach notifications or news about their security posture, checking whether certifications are still current and valid, spot-checking their compliance with contract requirements, and reviewing how they've handled security incidents or operational problems.

Much of the monitoring can be automated, which is important because manual monitoring would require enormous time investment. You can set up automated alerts through breach notification databases like Have I Been Pwned to alert you if a vendor is compromised. You can set Google alerts for news about the vendor. You can maintain spreadsheets or use specialized vendor management software to track certification expiration dates and generate reminders. For critical vendors, more intensive monitoring—periodic detailed assessments, on-site security reviews, quarterly review of security practices—justifies the investment because the consequences of missing problems are high.

The monitoring approach should be documented in your vendor management program so that all vendors at the same tier are monitored consistently. Consistency prevents monitoring from becoming ad-hoc and vendor-dependent.

Performance Metrics and SLA Compliance as Health Indicators

Service level agreements specify performance expectations: uptime percentage, response times, resolution times. Ongoing monitoring should track whether the vendor is actually meeting those SLAs. This isn't just about getting what you paid for; it's a health indicator. A vendor whose SLA performance is degrading might be experiencing operational problems, understaffing, or cost-cutting measures that could affect both security and reliability.

For critical services, real-time monitoring makes sense. Many vendors provide dashboards or APIs where you can monitor metrics continuously. For less critical services, monthly or quarterly review of their reported metrics is sufficient. You can often access their status page—many cloud providers maintain public status pages showing uptime and incident history.

SLA breaches that recur should trigger escalation conversations with the vendor. A vendor that misses SLAs occasionally might be having temporary problems—a data center outage, a security incident, staff illness. That's recoverable. A vendor that consistently misses SLAs is not delivering what they committed to, and that pattern should trigger re-evaluation of the relationship. You have documentation to support concerns if the relationship needs to end.

Performance metrics also help justify continued use when things are going well. If a vendor's SLA performance is consistently exceeding expectations and their service is reliable, that's evidence the relationship is working well. If performance is consistently below SLA, you have documentation to support switching vendors.

Detecting Changes in Vendor Security Posture

A vendor's security can change over time, and not always for the better. A vendor facing financial pressure might cut costs and reduce security spending. A vendor might lose key security staff to departures and not replace them effectively. A vendor might merge with a less secure company. A vendor might stop maintaining security certifications. Monitoring detects these changes before they become crises.

Change tracking might include monitoring their website for updates to their security practices—many vendors publish security pages that get updated. Checking whether they've published new SOC 2 reports or whether old certifications have expired. Reviewing their published security advisories or incident reports. Monitoring for data breaches that affect them through breach tracking services. Reviewing news or analyst reports about their security.

Security questionnaire updates every one to two years for critical vendors can re-evaluate areas of concern and detect whether practices have changed. If a vendor previously said they patch vulnerabilities within 30 days of disclosure and now says 60 days, that's a change worth understanding. If they previously had a dedicated security team and now say security is handled by the operations team, that's a change. If they previously had annual penetration testing and now have testing only every two years, that's degradation.

For vendors that have degraded, monitoring results should trigger a conversation with the vendor. Understanding what changed and why, and whether it affects your specific needs, helps determine your next steps. Sometimes degradation in one area doesn't affect you. Sometimes it's significant and justifies changing vendors.

Staying Aware of Vendor Breaches

Your vendor contracts should require that vendors notify you if they're breached or experience a security incident. Ongoing monitoring includes watching for breach notifications to your organization, and also monitoring for breaches at vendors that might affect you indirectly. Many vendors handle many customers, and if they're breached, every customer might be affected.

Breach notification should be prompt—24 to 48 hours is typical. Your incident response plan should address how to respond when a vendor that handles your data is breached. You need to assess impact: was your data compromised? What do you need to do? Do you need to notify your customers or regulators? Do you need to conduct forensic investigation with the vendor?

Monitoring also includes staying aware of breaches at vendors you don't directly contract with but who might affect you indirectly. If a vendor's vendor is breached, it might eventually affect you through the supply chain. This is becoming more important as organizations become more interconnected.

Breach monitoring tools can automatically alert you. Subscribe to breach notification services that track when organizations are compromised. Set up alerts from news sources about vendor breaches. Many vendors will send notifications to customers if they experience a breach, but relying solely on vendor notification is risky because sometimes vendors don't notify quickly or completely.

Tracking Certification Expiration and Renewal

If a vendor has SOC 2, ISO 27001, or other certifications that were part of your original due diligence, those certifications expire. SOC 2 reports are typically valid for 12 months. ISO certifications are typically valid for three years but require annual surveillance audits to maintain validity. Certification expiration might not seem critical, but it's a meaningful indicator. A vendor whose certification has expired without renewal is a red flag worth investigating.

Monitoring should track certification expiration dates. For critical vendors, you should know when their certifications expire and proactively ask for updated reports before they expire. A vendor that lets their certification lapse either can't afford to renew, has deprioritized security, or has experienced problems that prevented renewal.

Sometimes certification expiration is intentional—a vendor might decide the cost or effort of certification isn't justified. Understanding the reasoning matters. If the vendor chose not to renew because they believe it's not necessary for their context, that might be reasonable. If they didn't renew because they're having financial problems or because they failed re-audit, that's concerning.

Certification tracking can be automated. Maintain a spreadsheet or use vendor management software to track expiration dates and set reminders six months before expiration. Many GRC platforms and vendor management tools include certification tracking as a built-in feature.

Verifying Contract Compliance

Vendor contracts specify requirements: the vendor will maintain certain controls, will respond to incidents within certain timeframes, will not disclose data without authorization, and so on. Monitoring should verify that the vendor is actually complying with these requirements rather than just assuming they are.

Verification might include asking the vendor periodically to confirm they're meeting requirements, requesting evidence in the form of screenshots, logs, certifications, or other documentation, conducting spot-checks of their practices by reviewing their systems or interviewing their team, or for critical vendors, conducting on-site audits.

For some requirements, compliance is obvious: if the contract says uptime will be 99.5% and they maintain that SLA, they're in compliance. For other requirements like maintaining security controls or secure data handling, compliance requires investigation. You can't just assume they're doing what they said they would do.

Contract audits—periodic detailed reviews of vendor compliance with all contract requirements—might happen annually for critical vendors or less frequently for lower-tier vendors. Audits can be conducted by your internal team or by external auditors. The investment depends on how critical the vendor is.

Escalation When Problems Are Discovered

When monitoring reveals a problem, escalation procedures kick in. The problem might be minor—a vendor missed an SLA by a day, or they've changed a security practice in a way that doesn't directly affect you. Minor issues usually get addressed through normal account management conversations. More serious issues need formal escalation.

Escalation procedures should specify which problems trigger escalation, who gets notified when escalation happens, what timeline is expected for vendor response, what documentation is required, and what next steps are if the vendor doesn't respond adequately. For a missed SLA, you might email the vendor's account manager. For a security incident, you might escalate to vendor leadership. For a breach that affects you directly, you might escalate to legal and security leadership internally.

The goal of escalation isn't to terminate the vendor relationship, but to resolve the problem. Most vendors want to keep good relationships and will fix problems if they're brought to their attention clearly. Vendors that don't respond appropriately to escalation—that become defensive, that minimize problems, that don't commit to fixes—are signaling that the relationship might not be sustainable.

Escalation procedures should be documented in your vendor management policy. The vendor should also be aware of escalation procedures, documented in contracts or onboarding communications, so they know what to expect if problems occur and how to respond.

Making Monitoring Sustainable

The challenge with ongoing vendor monitoring is that it can become time-consuming if not structured carefully. An organization with 100 vendors that tries to monitor all of them equally will either do a superficial job of monitoring or burn out the people responsible for vendor management. This is why tiering is critical. You focus intensive monitoring on critical vendors and lighter monitoring on less important ones.

Automation helps enormously. Set up automated alerts, maintain spreadsheets with expiration dates and automated reminders, use vendor management software if you have the budget. For large organizations with many vendors, specialized vendor management platforms make monitoring sustainable. For smaller organizations, a well-structured spreadsheet and automated alerts can accomplish the same thing.

The point is that monitoring should be systematic and ongoing, not something you do in crisis when a vendor breaks. Systematic monitoring detects problems early, when they're still manageable, rather than discovering them after they've already affected your business.

Fully Compliance provides educational content about IT compliance and cybersecurity. This article reflects general guidance about ongoing vendor monitoring. Your organization's specific monitoring approach should be tailored to your vendor list size, the criticality of individual vendors, and your available resources.