Every organization is dependent on other organizations outside of itself. It’s unlikely that your organization writes all of its own software, builds its own hardware, owns the buildings it occupies, and is an internet service provider. Your security is dependent on many of these things but if they are produced outside of your organization, your control is limited. Previous chapters touched on risk and controls for third parties, but what happens when those third parties are critical to your scoped environment and audit? You need to manage the security where the third party touches your scoped environments. Before you manage, you need to measure. To measure the security of an outside organization, you need to use everything you’ve learned about being audited and apply it to someone else. Even if you pay someone else to audit the third party, you still need to define the scope, requirements, and testing, and interpret the results.