SA-12(2) — Supplier Reviews

Conduct regular reviews of your suppliers to verify they continue to meet your security requirements throughout the relationship, not just at contract signing.

Example 1: Schedule annual security reviews for all critical vendors. Request updated SOC 2 reports, review their recent security incident history, and verify that contractual security requirements are still being met. Document findings and follow up on any concerns.

Example 2: Use a vendor risk management platform (BitSight, SecurityScorecard) that continuously monitors your suppliers' external security posture. These platforms track things like exposed services, SSL certificate status, and data breach history, giving you early warning of declining vendor security.