| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
IT Vendor Management (Part 1 of 2)
This opening episode of the IT Vendor Management section of the ISACA Certified Information Systems Auditor (CISA) exam prep series covers the fundamentals of sourcing and governing vendor relationships. It examines why vendor risk has become critical, the different ways a technology function can be sourced, how to run a sound outsourcing process, what accountability remains with the organization, and what a strong vendor contract must contain.
What this episode covers
- Why vendor risk matters — how heavy reliance on third parties increases the risk of breaches and how best practices anchor a sound vendor program.
- Sourcing models — insourcing, outsourcing, hybrid arrangements, and onsite, nearshore, and offshore location options.
- Deciding how to source — the key questions about core functions, knowledge replication, cost, quality, risk, and legal limits before committing.
- The outsourcing process — defining scope, describing service levels, running due diligence, and communicating the decision to all stakeholders.
- Non-transferable accountability — why management responsibility stays with the organization regardless of what work is handed to a vendor.
- Vendor contract essentials — the full set of provisions covering quality, security, performance, confidentiality, audit rights, continuity, ownership, and subcontractors.
- Service level agreements — how they commit vendors to defined performance standards and serve as a primary control instrument.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What are the main ways to source a technology function?
Sourcing choices cover who does the work and where it happens. For who, the options are insourcing with your own staff, outsourcing fully to a vendor, or a hybrid blend of the two. For where, work can be onsite within your own department, offsite or nearshore in the same region, or offshore in a different geographic region entirely to take advantage of time zones and labor rates.
When you outsource a function, who retains accountability?
Accountability always stays firmly with your own management; you can transfer the work but not the responsibility. Outsourcing is therefore a strategic decision that reshapes the value chain rather than simply a purchase, and management must continue to oversee the vendor to fulfill that accountability.
What should a strong vendor contract include?
A strong contract spells out service quality and violation reporting, defines security and network control responsibilities, sets performance parameters and a dispute process, requires confidentiality agreements, includes an unambiguous right-to-audit clause, addresses business continuity and disaster recovery, establishes data and intellectual property ownership, requires legal compliance including future regulations, and mandates disclosure of subcontractors.
What is a service level agreement, and how does it function as a control?
A service level agreement commits the vendor to a defined standard of uptime and support, and it carries penalties when the vendor falls short and may offer bonuses for exceeding targets. Treating it as an instrument of control rather than just a formality is essential, and cross-border outsourcing deals must also account for applicable local laws.
📚 Master the ISACA CISA Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISACA CISA certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in IT Vendor Management (Part 1 of 2).