The Vendor Compliance Program (VCP) is an externally-focused document that is tool for organizations to manage cybersecurity risk with its third-party providers. There is are two versions of the VCP - ISO 27002 and NIST 800-53 since these are two of the most common security frameworks that companies align to.
It is never recommended to share your complete policies and standards, since those documents can possibly leak sensitive technical and/or business information that could negatively impact your organization. The Vendor Compliance Program (VCP) solves that problem by creating a shareable document that focuses on the industry-recognized leading practices that you expect your vendors to follow (e.g., NIST 800-53, ISO 27002, PCI DSS, HIPAA, etc.).
Can You Honestly Answer HOW Vendor Management Is Implemented At Your Organization?
When you "peel back the onion" and prepare for an audit, there is a need to address "the how" for certain topics, such as vendor management. While policies and standards are designed to describe WHY something is required and WHAT needs to be done, many companies fail to create documentation to address HOW the policies and standards are actually implemented. We did the heavy lifting and created several program-level documents to address this need and the Vendor Compliance Program (VCP) is one of those products.