VM-03 Third-Party / Vendor Management

Cloud Provider Governance (GCP)

Shared-responsibility and cloud obligations are managed.

Domain: Third-Party / Vendor Management
Control type: Preventive/Detective
Automated / manual: Manual
Frequency: Continuous
Framework reference: MAS Cloud / Outsourcing

What good looks like

Shared-responsibility boundary, data location and exit strategy documented/managed.

Risk if it fails

Gaps in shared-responsibility; lock-in; residency breach.

How Tess tests it

3 tests — each concludes only on cited evidence.

Shared-responsibility & obligations documented

Design

Procedure: Inspect the documentation.
Expected: Documented.
Sample: 1 (design inspection)
Evidence: Cloud contract, responsibility matrix, exit plan.

Data residency/location managed

Operating

Procedure: Inspect residency arrangements.
Expected: Compliant.
Sample: 25 (or full config inspection)
Evidence: Cloud contract, responsibility matrix, exit plan.

Exit/portability strategy documented

Operating

Procedure: Inspect the exit plan.
Expected: Exists.
Sample: 25 (or full config inspection)
Evidence: Cloud contract, responsibility matrix, exit plan.

Evidence Tess looks for

Cloud contract, responsibility matrix, exit plan.

More in Third-Party / Vendor Management

VM-01 Vendor / Third-Party Risk Assessment VM-02 SOC Report Review (SOC 1/2) VM-04 Outsourcing Register & MAS Compliance VM-05 Third-Party Access Management

Want Tess to test VM-03 against your evidence?