cisa-d2-governance-management-it-vendor-management

IT Vendor Management

isaca-cisa · framework · Gold standard

Drawn fromCISA Review Manual · ISACA peer-reviewed case sets·Reviewed May 4, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is IT Vendor Management

IT Vendor Management is the governance discipline of systematically selecting, contracting, monitoring, and retiring external organizations that supply technology products, services, or capabilities to an enterprise. It governs the full vendor lifecycle — from due diligence and onboarding through performance management, risk oversight, and offboarding — ensuring third-party relationships deliver business value while staying within the organization's risk tolerance and compliance obligations. Within ISACA CISA, IT Vendor Management is a core knowledge area in Domain 2 (Governance and Management of IT), functioning as essential governance infrastructure that bridges procurement, security, legal, and operations.

Where it stops · what it isn't

—IS: Lifecycle management of external IT suppliers — infrastructure, software, SaaS, managed services, consultancies, and cloud providers — from selection through termination.
—IS: Risk assessment and continuous monitoring of vendor security posture, performance, and compliance status.
—IS: Contract governance — defining and enforcing SLAs, audit rights, data handling obligations, and exit provisions.
—IS: Sub-contractor and nth-party visibility into the vendor's own supply chain.
—IS NOT: Internal IT resource management or employee procurement — vendor management applies to external third parties, not in-house staff or contractors engaged as de facto employees.
—IS NOT: General procurement or accounts payable — vendor management extends far beyond purchasing to ongoing risk and relationship governance.
—IS NOT: Enterprise Architecture or IT Strategy, though vendor decisions inform both — vendor management executes within the strategic and architectural direction those disciplines set.
—IS NOT: Incident response or security operations, though vendor-related breach events trigger vendor management remediation actions.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

IT GovernanceGovernance and Management of IT (CISA Domain 2)

REQUIRES

IT Risk ManagementIT Policies and StandardsIT Resource Management

ENABLES

Enterprise Risk Management (ERM)Business Continuity ManagementRegulatory Compliance (NIST CSF, ISO 27001, GDPR, HIPAA, SOX, NIS2)

RELATED TO

IT Strategy ManagementIT Portfolio and Project Governance

CONSTRAINS

Cloud and SaaS Adoption Decisions

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.