Skip to content
Log in

Right-to-audit clause

Definition

A contractual provision that gives the organisation the right to audit or assess the vendor's security controls, either directly or through a third-party assessor, during the term of the contract. This clause is required by many regulatory frameworks including PCI-DSS and is considered a baseline expectation in ISO 27001 supplier agreements.

Related terms

Due diligence questionnaire (DDQ)
A structured questionnaire sent to a prospective vendor before onboarding, asking the vendor to describe its security controls, certifications, incident history, subprocessor...
Offboarding controls
The set of actions taken when a vendor relationship ends: revoking access credentials, recovering or destroying shared data, terminating network connectivity, and...
Subprocessor
A third party engaged by a vendor (the processor) to perform part of the service that involves the organisation's data. Under GDPR...
Third-party risk
The information security, operational, legal, or reputational risk introduced to an organisation by its relationships with external parties including vendors, suppliers, cloud...
Vendor tiering
The classification of vendors into risk tiers, typically Tier 1 (critical), Tier 2 (significant), and Tier 3 (low), based on factors such...

Explained in

  • Third-Party Risk Management ProgrammeA contractual provision that gives the organisation the right to audit or assess the vendor's security controls, either directly or through a third-party asses...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account