# LSOPS03-BP01 Perform supplier and vendor assessment of each vendor
<a name="lsops03-bp01"></a>

 Establish criteria for the selection and evaluation of suppliers, and create a plan for the monitoring and re-evaluation of those suppliers. Assess vendor controls while considering the intended use of the services and possible risks involved to the system. 

 **Desired outcome:** Vendors are established as approved IT suppliers of purchased services. 

 **Common anti-patterns:** 
+  Treating AWS as a SaaS provider whose solutions usually directly support GxP processes, and therefore incorrectly assessing the risk of using AWS services for to support GxP workloads. 
+  Asking questions in the supplier questionnaire that are irrelevant considering the services to be used. 

 **Level of risk exposed if this best practice is not established:** High 

## Implementation guidance
<a name="implementation-guidance"></a>

 Use as much supplier documentation as possible to expedite a supplier assessment of AWS. 

### Implementation steps
<a name="implementation-steps"></a>

1.  Perform a general market assessment to establish AWS position in the market and financial stability. 

1.  Collected documentary evidence of the suitability of the AWS control framework for supporting GxP workload. Establish an AWS account and download required third-party assessment reports and certifications from AWS Artifact. 

1.  If there are perceived gaps in the information obtained, contact your account team to complete a supplier assessment questionnaire. 

1.  With the downloaded documentary evidence and questionnaire, perform an analysis and generate a assessment summary with your conclusions.  Retain this in case of inspection. 

## Resources
<a name="resources"></a>

 **Related tools:** 
+  [AWS Artifact](https://aws.amazon.com/artifact/)