A periodic assessment is a scheduled review of a vendor’s controls against a defined set of requirements or frameworks. It is meant to confirm whether the supplier’s current posture still matches the risk originally accepted, rather than redoing procurement or onboarding from scratch.
Expanded Definition
Periodic assessment is the scheduled re-evaluation of a supplier, system, or service against a defined control baseline after onboarding, rather than a fresh due diligence exercise. In cybersecurity and identity governance, it is used to confirm that the current risk posture still matches the risk originally accepted, especially when access, data handling, or operational dependencies have changed. The concept is closely aligned with ongoing assurance in NIST Cybersecurity Framework 2.0, where organisations are expected to continuously identify, assess, and manage external risk.
Definitions vary across vendors and procurement teams on cadence, evidence depth, and whether the assessment applies only to critical suppliers or to all third parties. In practice, a periodic assessment may include control attestations, configuration evidence, incident history, access review outcomes, and changes in sub-processors or integrations. For NHI-heavy environments, the scope often needs to extend to API keys, service accounts, tokens, and automation pathways because these assets can persist long after human onboarding decisions have been made. The most common misapplication is treating periodic assessment as a paperwork refresh, which occurs when teams repeat questionnaires without validating whether control conditions or access paths have materially changed.
Examples and Use Cases
Implementing periodic assessment rigorously often introduces review overhead and evidence collection effort, requiring organisations to weigh assurance quality against operational delay.
- A cloud provider is re-reviewed every six months to verify encryption, logging, and incident response controls still match contractual requirements.
- A payroll SaaS vendor undergoes a focused reassessment after a material change in data processing locations and sub-processor usage.
- An internal platform team rechecks a service account’s privileges after new automation workflows are added to production deployment pipelines.
- A payments supplier is assessed against NIST Cybersecurity Framework 2.0 mappings to confirm continued alignment with the organisation’s risk thresholds.
- NHIMG notes that only 5.7% of organisations have full visibility into their service accounts, which is why the Ultimate Guide to NHIs is often used to frame reassessment scope for non-human access.
For identity-rich vendors, periodic assessment may also include rotation evidence, offboarding evidence, and proof that privileged tokens are not left valid longer than intended. In mature programmes, the assessment outcome can trigger conditional renewal, remediation deadlines, or access reduction rather than a binary pass or fail.
Why It Matters for Security Teams
Periodic assessment matters because risk changes after onboarding: new integrations appear, controls degrade, and third-party exposure can expand silently. Without scheduled reassessment, suppliers can remain approved even after their control environment drifts away from the originally accepted posture. That gap is especially consequential where NHI and machine-to-machine access are involved, because invisible credentials can continue operating even when the business relationship has changed. NHIMG research shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and the Ultimate Guide to NHIs also reports that 71% of NHIs are not rotated on schedule.
Security teams use periodic assessment to decide whether to retain, restrict, or retire a supplier relationship, especially when a vendor touches sensitive data or privileged automation. It is also a practical control for audit readiness, since it creates a repeatable record that risk was reviewed on a defined cadence instead of assumed stable. Organisations typically encounter the cost of weak reassessment only after a supplier incident, at which point periodic assessment becomes operationally unavoidable to contain exposure and reset trust.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST SP 800-63 set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.AM, ID.RA, ID.SC | CSF 2.0 covers asset, risk, and supply-chain governance for periodic supplier reassessment. |
| NIST SP 800-53 Rev 5 | CA-7, SA-9, SR-6 | Continuous monitoring and supplier controls support recurring assessment of third-party risk. |
| ISO/IEC 27001:2022 | A.5.19, A.5.22, A.8.15 | ISO ISMS expectations include supplier relationships and ongoing monitoring of security controls. |
| NIST SP 800-63 | IAL, AAL, FAL | Digital identity assurance levels inform periodic checks where vendor identity proofing or authentication is involved. |
| OWASP Non-Human Identity Top 10 | NHI guidance emphasizes recurring review of service accounts, secrets, and machine access paths. |
Use scheduled reviews to confirm supplier controls, risks, and dependencies still match accepted posture.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org