If they failed your security audit, you need to first communicate with them. This is to let them know that they can't meet your expectations and needs. You need to ensure that you keep your organization secured. This is to ensure that it wasn't affected because of this vendor. You need to then look for another reliable vendor. This is to ensure that the vendors wouldn't affect your organization's security. You need to make sure that the contract between you and this first vendor is terminated before getting another one. This is to ensure that there isn't any breach of contract.

When a vendor fails a security audit, act swiftly. Assess the risk to determine exposure. Contain threats by limiting vendor access. Engage the vendor for a remediation plan with clear timelines. Enhance controls by adding stricter access management and monitoring. Review contracts to ensure security expectations are enforceable. Implement continuous monitoring and schedule follow-up audits to confirm compliance. Clear communication and proactive management safeguard your data while holding vendors accountable.

With many years of internal & external AUDITs, there will always be at least a few recommendation points in their final report. If nothing is published, it's probably not the norm. Still most AUDIT points are either minor or too costly to implement (and company continues to take slight risks). However, if a 3rd party business party completely FAILs the AUDIT with an unsatisfactory status, this must be fully resolved: * Research all findings in depth * Work with internal audit & security experts * Seek any 3rd party plans to rollout improvements * Prioritize most critical needs 1st in vendor interface * Isolate, use VDIs, VPN/MFA and other high security mitigations * Even de-couple automation if completely unsafe (which should be rare)

First, **assess the risk impact** and identify **compliance gaps**. Notify internal stakeholders and **engage the vendor** to address deficiencies. Establish a **remediation plan** with clear timelines and requirements. If critical, **limit access** or pause engagements until issues are resolved. Enhance **contract terms** for stricter security controls. Conduct **follow-up audits** to ensure compliance. Consider alternative vendors if risks remain unmitigated.

Once when I was delivering a project, the audit vendor pointed that somebody could get cut with a window edge. All the edges were covered and then we passed the audit. The lesson here is to pay attention to the minimum detail