Purpose: The following MSPAlliance MSP/Cloud Verify Guidance Bulletin is written to provide analysis and suggestions for improved service delivery operations.
Subject: MSP Vendor Management and use of third party audits
Bulletin Highlights:
- Develop Vendor Management Policy
- Update your third party audit/examination report at least every 12 months
- Don’t exclusively rely on data center reports
- Vendor management reports are not an excuse for the MSP not to get its own examination/audit report
As part of the MSP/Cloud Verify program, MSPs are required to maintain and use an effective vendor management policy for all third party vendors and partners. This policy should be documented and under regular review and change control. Part of an effective vendor management policy is the review of new third party relationships, specifically the request and periodic review of third party audit reports.
Third party audit reports are useful both for minimizing risk to the MSP, as well as ensuring the third party has been properly vetted for the specific use of the MSP. When requesting a third party review from a vendor, the report should be examined in order to not only determine its relevance both to the third party, but also the effectiveness of the review when it comes to the relationship between the MSP and the third party.
Specifically, when requesting an independent review of the third party, the review should not only cover the data center, but also the third party itself. It is not sufficient to accept an audit report (for example, an SSAE 16) from the data center where the third party hosts its infrastructure. Beyond this physical and environmental review, the data center provider’s report will not address fundamental issues such as the vendor’s own internal practices, such as physical and logical security, data privacy, and geolocation of data and personnel.

