Access evidence
Request user and privileged-account structure, MFA and remote-support design, approval and termination process, representative session or access logs, service-account governance, and customer controls. Focus on the environment and support model used for your service.
Incident evidence
Review incident-response roles, customer-notification workflow, evidence preservation, subcontractor coordination, exercises, and lessons from material events when available. Confirm contract timelines and the facts the vendor must supply for your breach analysis.
Resilience evidence
Review architecture, redundancy, backup scope, recovery objectives, restoration tests, dependency mapping, customer responsibilities, downtime communications, and recent availability issues. A generic continuity policy does not prove recovery of the purchased product.
Assurance reports and certifications
Confirm entity, product, location, period, control scope, subservice organizations, exceptions, complementary customer controls, and management response. Track whether relevant findings are resolved and whether the report period leaves a material gap.
Privacy and data lifecycle
Document permitted uses, data location, retention, support copies, logs containing PHI, analytics, de-identification claims, AI use if any, individual-rights support, return or destruction, backups, and legal holds.
Customer configuration duties
Many controls require customer action: MFA enforcement, role assignment, log review, secure integration, retention settings, backup choice, incident contacts, and user termination. Put these duties into the internal remediation register rather than assuming the vendor performs them.
When evidence is unavailable, document the limitation, risk implication, compensating safeguards, alternative evidence, contract leverage, decision owner, and review date. Lack of transparency can itself change the vendor’s risk tier.