CRISP Security Shield Logo

Compliance Risk &

Information Security Partners

Introducing the new small business third-party risk management company

05-E: Information Security

This section assesses how your organization protects information throughout its lifecycle.

The questions focus on whether you have documented information security policies and standards, how you identify and classify sensitive data, and what technical and procedural controls you use to preserve confidentiality, integrity, and availability (such as access controls, encryption, secure configuration, and vulnerability management).

They also help confirm that security is embedded in daily operations and systematically reviewed, rather than handled reactively or on an ad hoc basis.

Explanation: Clearly defined roles and responsibilities ensure accountability and proper implementation of security policies, reducing confusion about who handles specific tasks.

Risks of Incorrect Answer: Security tasks may be neglected or improperly performed.

Lack of accountability for breaches or incidents.

Applicable Frameworks: ISO 27001 (A.7.2.1): Responsibilities for security must be clearly defined and documented.

NIST CSF (ID.GV-2): Security roles and responsibilities must be assigned and communicated.''

Explanation: Tracking non-compliance helps identify areas where additional training, enforcement, or updates to policies may be needed.

Risks of Incorrect Answer: Repeated violations could lead to increased security risks.

Regulatory fines or penalties if non-compliance is discovered during an audit.

Applicable Frameworks: ISO 27001 (A.18.2.2): Requires monitoring compliance with security policies and standards.

NIST CSF (PR.IP-11): Non-compliance with security requirements is documented and addressed.''

Explanation: Data classification ensures that sensitive or critical data is appropriately protected based on its level of importance.

Risks of Incorrect Answer: Sensitive data may be mishandled or improperly protected, increasing breach risks.

Non-compliance with data protection laws requiring specific controls for classified data (e.g., GDPR, HIPAA).

Applicable Frameworks: ISO 27001 (A.8.2.1): Information should be classified according to its importance and sensitivity.

NIST CSF (PR.DS-1): Data is managed according to its classification''

Explanation: Access logs provide an audit trail for detecting and investigating unauthorized access or suspicious activity.

Risks of Incorrect Answer: Inability to detect or respond to unauthorized access in a timely manner.

Non-compliance with audit or regulatory requirements for log management.

Applicable Frameworks:

ISO 27001 (A.12.4.1): Event logs must be recorded, monitored, and reviewed.

NIST CSF (DE.CM-3): Monitors system activity for unauthorized access.''

Explanation: Understanding past incidents helps assess the vendor’s ability to detect, respond to, and recover from breaches or security threats.

Risks of Incorrect Answer: Lack of transparency about previous incidents may hide ongoing vulnerabilities.

Unaddressed security weaknesses may remain a risk for the client.

Applicable Frameworks: ISO 27001 (A.16.1.1): Requires reporting and managing information security incidents.

NIST CSF (RS.CO-5): Post-incident reviews are conducted to identify and mitigate root causes.

NEXT
CRISP Secrity Logo

​Compliance Risk &

Information Security
Partners

CRISP

Empowering small businesses
with BIG Solutions

Some or all of the services described in this engagement may not be available to certain clients, including those who have affiliations or relationships with audit firms or related entities.

The information provided herein is of a general nature and is not intended to address the specific circumstances of any individual or entity. While we strive to offer accurate and up-to-date information, we cannot guarantee its accuracy at the time it is received or in the future. No action should be taken based solely on this information without seeking appropriate professional advice tailored to your particular situation. CRISP does not provide legal or tax advice.

This information is not intended to constitute “written advice concerning one or more Federal tax matters” as defined by section 10.37(a)(2) of Treasury Department Circular 230.

Contact Us

Let’s discuss your unique security needs and address any other questions you may have. Contact us today for a free consultation and take the next step towards strengthening your company’s defenses.

LEGAL POLICIES

Privacy Policy

Terms & Conditions

Disclaimer

Cookie Policy

DSAR

Refunds/Returns

Shipping Policy

EULA

Message

© 2025 Compliance Risk & Information Security Partners (CRISP). All rights reserved.