The Business System, Asset and Third-Party Assessment Template is designed to be completed when new software vendors (third parties) are being onboarded within the organisation.

The assessment can be completed before the third party or software is procured, allowing security and privacy risks to be reviewed and addressed early in the process. At this stage, the status of the third party and related Business Systems & Assets can be set to Planned. Optional controls and evidence can also be added for both the assets and third party, if required.

The assessment is primarily intended to be completed internally by the Information Security or Data Protection departments. However, if needed, it can be targeted to the relevant department responsible for procuring the software, or even externally to third parties for completion.

Once the assessment has been completed:

• The Business System, Third-Party and Asset(s) will populate into the respective registers.
• These records will be automatically linked together.
• The Program/Assessment Reviewer will also receive a notification to review and approve the assessment.
• Note: This base template is available for immediate use ‘out of the box’. However, you have the flexibility to customise the assessment by updating guidance, modifying the questions, or adding additional ones to meet all of your organisational requirements.

Below is an overview of the three registers used in this assessment: