BNM RMiT 11.x · ISO 27001 A.5.19 Aligned

Third-Party / Vendor Cyber Risk Assessment Malaysia

Build the vendor cyber risk programme BNM examiners and ISO 27001 auditors expect — vendor inventory, security questionnaires, on-site audit, continuous monitoring, contractual review.

Get a TPRM Scoping Call Talk to a TPRM Lead

Why third-party risk has become the dominant attack vector

The most damaging cyber incidents affecting Malaysian organisations in the past 24 months have overwhelmingly originated in third parties — payroll providers, software vendors, IT outsourcers, cloud SaaS, professional services firms. The MOVEit, Okta and SolarWinds patterns are the new normal: your security maturity does not protect you from a breach in a vendor's environment.

BNM's RMiT outsourcing series (around chapter 11) makes this explicit for Malaysian financial institutions: the FI remains accountable for outsourced services, must perform pre-engagement due diligence, and must maintain ongoing oversight throughout the relationship. ISO 27001:2022 Annex A.5.19 imposes parallel expectations on certified organisations. The programme has to actually exist — not just on paper.

Phase 1 — Vendor inventory and tiering

Most Malaysian enterprises do not actually know how many third parties they use. Procurement records cover formal contracted suppliers; SaaS subscriptions purchased on a corporate card are routinely missed. We build the consolidated vendor inventory by combining procurement records, finance AP data, identity-provider OAuth grants, SSO tenant records, and finance card transaction analysis.

Each vendor is then tiered (typically Tier-1 through Tier-4) based on data sensitivity (do they hold regulated PII, payment card data, customer credentials), business criticality (would their outage halt a critical business process), and integration depth (network connectivity, API integration, source code access).

Phase 2 — Security questionnaire authoring

We author tier-appropriate questionnaires combining the Cloud Security Alliance CAIQ Lite (cloud vendors), Shared Assessments SIG (broad enterprise), and bespoke questions covering Malaysian regulatory hooks (PDPA 2024, BNM RMiT data residency, NACSA Cyber Security Act 2024). Different questionnaires for different tiers — Tier-4 vendors get a 25-question screen; Tier-1 vendors get a 200+ question deep dive.

Questionnaire distribution and response collection runs in your existing GRC platform (ServiceNow VRM, OneTrust, ProcessUnity, SecurityScorecard Atlas) or in a lightweight custom spreadsheet workflow if you don't have one.

Phase 3 — Evidence review

Self-attestation alone is not enough for material vendors. We collect and review supporting evidence: SOC 2 Type II report, ISO 27001 certificate and statement of applicability, recent penetration test executive summary, business continuity test report, breach history and notification record, sub-processor list with their attestations.

Evidence is reviewed against the questionnaire response — gaps and contradictions are documented and raised with the vendor for remediation or risk acceptance.

Phase 4 — On-site audit (Tier-1 vendors)

For Tier-1 vendors (typically 5-10% of the population) we conduct an on-site audit covering: physical security walkthrough, sample log review, control-walkthrough interviews with named control owners, change management evidence sampling, incident response drill observation, and access management evidence collection.

The on-site audit produces a structured findings report aligned to your control framework, with findings categorised by severity and target remediation date agreed with the vendor.

Phase 5 — Continuous monitoring

Annual reassessment leaves long blind windows. Continuous monitoring tools (BitSight, SecurityScorecard, RiskRecon, UpGuard) surface external attack surface signals — exposed services, expired certificates, breached credentials, dark-web mentions — between annual reassessments. We integrate selected tooling, define alert thresholds per vendor tier, and embed signal review into the third-party risk operating cadence.

Material posture deterioration triggers an out-of-cycle reassessment — the right model for catching vendor incidents in the window when they actually matter.

Phase 6 — Contractual review

Strong contracts shape outcomes when things go wrong. We review and uplift vendor contracts covering: data processing agreement (PDPA 2024 alignment), security control obligations, breach notification timelines (commonly 24-72 hours), audit rights, sub-processor consent, data residency commitments, indemnification, SLA penalties, and exit/data-return provisions.

We work alongside your legal team — we do not replace them. Our role is to translate technical control requirements into precise contractual language and to flag where standard vendor templates fall short of regulatory expectations.

Frequently asked questions

What does BNM RMiT actually require for outsourced service providers?

RMiT's outsourcing series (around chapter 11) sets explicit expectations on Malaysian financial institutions managing third-party technology providers — including pre-engagement due diligence, ongoing oversight, contractual security requirements, and the FI's continuing accountability for the outsourced service. The specific clause numbers and current requirements take precedence — refer to the published RMiT Policy Document at bnm.gov.my.

What's the difference between a security questionnaire and an audit?

A security questionnaire is the vendor's self-attestation against a structured set of controls (CAIQ, SIG, custom). It is fast, cheap and a reasonable signal for low/medium-criticality vendors. An audit is independent verification — evidence review, sample testing, on-site walkthrough — and is the right level for Tier-1 vendors holding regulated data, processing payments, or providing material outsourced services.

How many vendors should we audit on-site versus questionnaire-only?

Tier the vendor population by data sensitivity and business criticality. Typically 5-10% of the vendor population (the Tier-1 cohort holding regulated data or providing material services) justifies on-site audit. The remaining 90-95% sits in questionnaire-with-evidence-spot-check tiers. The exact split depends on regulatory context — BNM-regulated FIs typically audit a wider Tier-1 cohort.

Should we use a continuous monitoring tool like BitSight or SecurityScorecard?

For Tier-1 and Tier-2 vendors, yes. These tools surface external attack surface signals (open ports, weak certificates, leaked credentials, dark-web exposure) at no per-vendor incremental cost. They are not a substitute for direct evidence review but they catch material posture changes between annual reassessments — which is where most third-party breaches actually surface.

Who is accountable when a vendor causes a breach?

Under BNM RMiT and most regulatory regimes the contracting financial institution remains accountable for outsourced services — you cannot outsource accountability. PDPA 2024 also holds the data controller responsible for processor breaches. Strong contractual provisions (DPAs, SLA penalties, incident notification timelines, audit rights, indemnities) shape commercial recovery but do not change regulatory accountability.

Ready to harden your supply chain?

Scoping calls take 30 minutes. Inventory-through-Tier-1-audit completes in 12-16 weeks for typical enterprise scope.

Get a TPRM Scoping Call