Vendor Risk Assessment: The Complete...

Your organisation's security is only as strong as your weakest vendor. The 2023 MOVEit breach affected over 2,600 organisations — not because they were individually targeted, but because they all used the same file-transfer vendor. The 2020 SolarWinds attack compromised 18,000 organisations through a single supply chain vector. And under modern regulations, you are liable for your vendors' failures: GDPR holds controllers accountable for processor conduct, NIS2 mandates supply chain security, and DORA requires a comprehensive register of all ICT third-party providers.

Vendor risk assessment — the systematic process of evaluating, monitoring, and managing the risks that third-party relationships introduce to your organisation — is no longer optional. Whether you call it third-party risk management (TPRM), vendor risk management (VRM), or supply chain risk management, the goal is the same: understand the risks your vendors create and reduce them to acceptable levels.

This guide provides a complete, practical framework for building and operating a vendor risk assessment programme that satisfies regulatory requirements and genuinely protects your organisation.

Quick Reference	Details
What is vendor risk assessment?	Systematic evaluation of risks introduced by third-party vendors, suppliers, and service providers
Other names	Third-party risk management (TPRM), vendor risk management (VRM), supply chain risk management
Key regulations	GDPR (Art. 28), NIS2 (Art. 21), DORA (Arts. 28–30), ISO 27001 (Annex A.5.19–5.23), SOC 2
Primary risk categories	Security, privacy, operational, compliance, financial, reputational, strategic
Typical vendor tiering	Critical (Tier 1), Important (Tier 2), Standard (Tier 3), Low-risk (Tier 4)
Assessment frequency	Annual for critical vendors; biennial for important; triennial or event-driven for others
Key deliverables	Vendor register, risk assessments, tiering model, due diligence reports, ongoing monitoring

Key Takeaways

Vendor risk assessment is the process of identifying, evaluating, and mitigating risks that third-party vendors introduce to your organisation

Modern regulations (GDPR, NIS2, DORA, PCI DSS 4.0) explicitly require organisations to assess and manage vendor/supply chain risks

Statistic	Source
62% of data breaches involve third-party vectors	Verizon 2025 DBIR
98% of organisations have at least one vendor that has experienced a breach	SecurityScorecard
Average $4.88M cost of a data breach; third-party breaches cost 12% more	IBM Cost of a Data Breach 2025
54% of organisations don't assess third-party security before onboarding	Ponemon Institute
73% of organisations experienced at least one supply chain disruption	BCI Supply Chain Resilience Report

Domain	What You're Assessing	Example Risks
1. Security	Vendor's cybersecurity controls, incident management, access controls	Data breach, ransomware, unauthorised access to your data
2. Privacy	How the vendor handles personal data; compliance with data protection laws	GDPR violation through vendor; unauthorised data sharing; inadequate DPA
3. Operational	Vendor's ability to deliver services reliably; business continuity	Service outage, vendor bankruptcy, key person dependency
4. Compliance	Vendor's adherence to regulations, standards, and contractual obligations	Vendor non-compliance creating liability for you; audit failures
5. Financial	Vendor's financial stability and viability	Vendor insolvency; cost increases; contract disputes
6. Reputational	Vendor's public image and conduct; potential for negative association	Vendor involved in scandal, ethical violations, or public controversy
7. Strategic	Vendor lock-in, concentration risk, alignment with your business strategy	Over-dependence on single vendor; inability to switch; misaligned roadmaps

Factor	Weight	How to Assess
Data access	High	Does the vendor access, process, or store your data (especially personal or sensitive data)?
System access	High	Does the vendor have access to your IT systems, networks, or infrastructure?
Business criticality	High	Would a vendor failure significantly impact your operations?
Regulatory exposure	Medium	Does the vendor relationship create regulatory compliance obligations?
Replaceability	Medium	How easily could you replace the vendor? (Lower replaceability = higher risk)
Financial exposure	Medium	What is the financial value of the relationship?
Data volume	Medium	How much data does the vendor process?

Tier	Name	Criteria	Assessment Depth	Frequency
Tier 1	Critical	Accesses sensitive data AND/OR provides business-critical services; failure would severely impact operations	Full due diligence, onsite/virtual assessment, evidence review	Annual
Tier 2	Important	Accesses some data OR provides important (but not critical) services	Detailed questionnaire + evidence review	Annual or biennial
Tier 3	Standard	Limited data access; provides standard services; easily replaceable	Standard questionnaire	Biennial or triennial
Tier 4	Low-risk	No data access; no system access; commodity services	Simplified check or self-certification	Event-driven only

Vendor	Tier	Reasoning
Cloud hosting provider (AWS, Azure)	Tier 1	Stores all production data; total dependency; high regulatory exposure
HR/payroll SaaS platform	Tier 1	Processes employee personal data including financial data; business-critical
CRM platform (Salesforce, HubSpot)	Tier 1	Stores customer data; critical to sales operations
External penetration testing firm	Tier 2	Accesses systems during testing; limited scope and duration
Marketing email platform	Tier 2	Processes customer email addresses; important but replaceable
Office cleaning service	Tier 4	No data or system access; commodity service
Office furniture supplier	Tier 4	No ongoing relationship; no risk exposure

Step	Activity	Deliverable
1.1	Identify all third-party relationships (procurement records, AP invoices, contract database, IT asset inventory)	Complete vendor list
1.2	Classify each vendor by type (SaaS, on-premise software, professional services, outsourced operations, etc.)	Categorised vendor register
1.3	Document what data each vendor accesses, processes, or stores	Data mapping per vendor
1.4	Document what systems each vendor accesses	System access inventory
1.5	Apply the tiering model to assign each vendor a tier	Tiered vendor register
1.6	Identify vendor owners (the internal person responsible for each vendor relationship)	Vendor ownership assignments

Field	Description
Vendor name	Legal entity name
Primary contact	Vendor's account manager or security contact
Internal owner	Who in your organisation owns this vendor relationship
Service description	What the vendor provides
Tier	Critical / Important / Standard / Low-risk
Data types accessed	Personal data categories, sensitive data, financial data, etc.
System access	What systems the vendor can access
Contract dates	Start date, renewal date, termination notice period
DPA in place?	Yes/No (with date)
Last assessment date	Date of most recent risk assessment
Next assessment due	Date of next scheduled assessment
Risk score	Current risk rating

Method	Tier 1	Tier 2	Tier 3	Tier 4
Vendor questionnaire	Comprehensive (150+ questions)	Detailed (80–120 questions)	Standard (30–50 questions)	Not required
Evidence review (policies, certifications, audit reports)	Yes — review key documents	Yes — review certifications	Certifications only	Not required
SOC 2 / ISO 27001 report review	Yes — read full report including exceptions	Yes — review summary and exceptions	Accept certificate as evidence	Not required
On-site or virtual assessment	Recommended for top-10 critical vendors	Optional	No	No
Security rating service (BitSight, SecurityScorecard)	Yes — continuous	Yes — periodic	Optional	No
Financial health check (D&B, credit reports)	Yes — annual	Yes — at onboarding	Optional	No
Penetration test results	Request if available	Request if available	No	No

Section	What to Look For
Opinion	Unqualified ("clean") opinion — any qualifications are red flags
Description of the system	Does it match what the vendor provides to you?
Controls tested	Do they cover security, availability, confidentiality as relevant?
Exceptions and deficiencies	Any noted deficiencies; how were they remediated?
Subservice organisations	Are the vendor's own vendors (subprocessors) included or excluded?
Complementary User Entity Controls (CUECs)	Controls that you need to implement for the vendor's controls to work
Report period	Is the report current (within the last 12 months)?

Clause	Purpose	Required For
Data Processing Agreement (DPA)	GDPR Article 28 compliance; defines processing scope, obligations, sub-processors	Any vendor processing personal data
Security requirements	Minimum security standards, controls, certifications the vendor must maintain	Tier 1 and Tier 2 vendors
Incident notification	Vendor must notify you within defined timeframe (24–72 hours) of security incidents	All tiers accessing data
Audit rights	Right to audit the vendor's security controls and compliance	Tier 1 and Tier 2
Sub-processor management	Notification of new sub-processors; right to object	Any vendor processing personal data
Data return and deletion	At termination, vendor must return/delete all your data in defined format and timeframe	All tiers handling your data
Business continuity	Vendor must maintain BCP/DR plans and test them	Tier 1
Insurance	Minimum cyber insurance coverage	Tier 1 and Tier 2
Termination rights	Right to terminate for material breach, including security or compliance failures	All tiers
Liability and indemnification	Appropriate liability caps and indemnification for vendor-caused breaches	All tiers (proportional)
SLA and performance	Service levels, uptime guarantees, response times	Tier 1 and Tier 2

Activity	Frequency	Source
Security rating monitoring	Continuous (automated)	BitSight, SecurityScorecard, UpGuard, RiskRecon
Breach and incident alerts	Continuous (automated)	News alerts, vendor notifications, dark web monitoring
Financial health monitoring	Quarterly	Dun & Bradstreet, credit reporting agencies
Certification expiry tracking	At expiry dates	Vendor register; calendar reminders
Contract renewal review	Before each renewal	Contract management system
Sub-processor change monitoring	As notified	Vendor DPA notification obligations
Performance review	Quarterly (Tier 1), semi-annually (Tier 2)	SLA reports, incident logs, support metrics
Regulatory change impact	Continuous	Regulatory monitoring (NIS2, DORA changes affecting vendors)
Full reassessment	Annual (Tier 1), biennial (Tier 2), triennial (Tier 3)	Questionnaire + evidence review cycle

Step	Activity	Verification
1	Revoke all access — system credentials, VPN accounts, API keys, physical access	Confirm in IAM and access logs
2	Data return — obtain all your data in the agreed format	Verify completeness against data inventory
3	Data deletion — vendor certifies deletion of all your data (including backups)	Obtain written deletion certificate
4	Knowledge transfer — document any vendor-specific knowledge needed for transition	Transition documentation complete
5	Update vendor register — mark vendor as offboarded; retain assessment records per retention policy	Register updated
6	Lessons learned — document what worked and what didn't for future vendor relationships	Post-vendor review notes

Factor	Low (1)	Medium (2)	High (3)	Critical (4)
Data sensitivity	No personal data	Basic personal data	Sensitive/special category data	Large-scale sensitive data
System access	No access	Limited/read-only access	Admin or write access	Root/infrastructure access
Business criticality	Not critical; easily replaced	Important but replaceable within days	Critical; replacement takes weeks	Mission-critical; no alternative
Regulatory exposure	No regulatory implication	Minor regulatory touchpoint	Significant regulatory requirement	Subject to specific regulation (DORA, PCI)
Data volume	Minimal	Moderate	Significant	Very large scale

Factor	Strong (1)	Adequate (2)	Weak (3)	Absent (4)
Security certifications	ISO 27001 + SOC 2 current	One certification current	Certification in progress	No relevant certifications
Security controls	Comprehensive, evidence-based	Adequate based on questionnaire	Gaps identified	Major gaps or unknown
Incident management	Tested IR plan; notified within 24 hrs	IR plan exists; notification defined	IR plan unclear; notification vague	No IR plan or notification commitment
Privacy controls	DPA in place; privacy programme mature	DPA in place; basic privacy controls	DPA incomplete or unsigned	No DPA; no privacy controls
Business continuity	Tested BCP/DR; RTO/RPO defined	BCP/DR exists; testing unclear	Plans exist but outdated	No BCP/DR plans

#	Question	Expected Evidence
1	Do you hold ISO 27001 certification? If so, provide the certificate.	ISO 27001 certificate (current)
2	Do you have a SOC 2 Type II report? If so, provide the most recent report.	SOC 2 report (within 12 months)
3	Describe your data encryption approach (at rest and in transit).	Encryption standards (AES-256, TLS 1.2+)
4	How do you manage access control and authentication for systems that store our data?	MFA, RBAC, privileged access management
5	Describe your incident response process and notification timelines.	IR plan; notification SLA (≤72 hours)
6	How do you manage vulnerabilities? What is your patching cadence?	Vulnerability management policy; patch SLA
7	Do you conduct regular penetration testing? Provide the most recent summary.	Annual pentest report (remediation status)
8	Where is our data stored (geographic locations and data centres)?	Data centre locations; EU/EEA confirmation
9	Do you use sub-processors? If so, list them and describe their role.	Sub-processor list with data flows
10	Describe your business continuity and disaster recovery capabilities.	BCP/DR plans; RTO/RPO; test results

Score	Inherent Risk Level
5–8	Low
9–12	Medium
13–16	High
17–20	Critical

Requirement	What It Means for Vendor Risk
Supply chain security	Assess security of direct suppliers and service providers
Vulnerabilities specific to each supplier	Understand each vendor's risk profile individually
Overall quality of products/services	Evaluate cybersecurity practices of suppliers
Coordinated risk assessments	Participate in EU-level coordinated supply chain risk assessments where applicable

Phase	Timeframe	Activities	Deliverables
Discovery	Days 1–20	Vendor inventory; data mapping; initial classification; stakeholder alignment	Complete vendor list; initial tiering
Framework	Days 21–40	Tiering model; questionnaire templates; risk scoring methodology; policy development	TPRM policy; assessment templates; scoring model
Priority Assessments	Days 41–70	Assess Tier 1 vendors; review existing contracts; identify gaps	Tier 1 risk assessments; contract gap analysis
Programme Launch	Days 71–90	Onboarding process; monitoring setup; training; Tier 2 assessments begin	Onboarding workflow; monitoring dashboards; training materials

Company Size	Recommended Resources
Small (50–200 employees, 20–50 vendors)	0.5 FTE dedicated to TPRM; GRC tool or spreadsheet
Medium (200–1,000 employees, 50–200 vendors)	1–2 FTE; dedicated TPRM platform
Large (1,000+ employees, 200+ vendors)	3–5 FTE; enterprise TPRM platform; security rating service

#	Question	Expected Evidence
11	Provide your information security policy.	Written policy (current)
12	Describe your employee security awareness training programme.	Training records; programme description
13	How do you manage third-party/supply chain risk for your own vendors?	TPRM programme description
14	Describe your logging and monitoring capabilities.	SIEM; log retention; alert thresholds
15	What is your data retention and deletion process?	Retention schedule; deletion procedures
16	Describe your change management process.	Change management policy
17	Do you have cyber insurance? What is the coverage amount?	Insurance certificate
18	Have you experienced a data breach or security incident in the last 3 years?	Incident disclosure; remediation summary
19	Describe your secure development lifecycle (if providing software).	SDLC documentation; code review process
20	How do you handle data subject access requests and other GDPR rights?	DSAR process documentation

Requirement	What It Means for Vendor Risk
Sufficient guarantees	You must assess that the vendor provides sufficient technical and organisational measures
Written DPA	Binding contract/DPA covering all Article 28(3) requirements
Sub-processor management	Vendor must get your authorisation for sub-processors; equivalent DPA requirements flow down
Audit rights	You must have the right to audit or have audits conducted
Data deletion/return	Vendor must delete or return all personal data at end of engagement
International transfers	If vendor transfers data outside EU, appropriate safeguards (SCCs, adequacy decisions)

Requirement	What It Means for Vendor Risk
ICT third-party risk management	Comprehensive framework for managing all ICT third-party providers
Register of Information	Maintain a complete register of all ICT third-party arrangements (submitted to regulator)
Pre-contracting assessment	Assess risks before entering ICT third-party arrangements
Key contractual provisions	Specific mandatory clauses in ICT service contracts
Concentration risk	Assess whether critical functions depend on too few providers
Exit strategies	Mandatory exit strategies for critical ICT third-party providers
Critical TPP oversight	EU-level oversight framework for critical ICT third-party providers

#	Mistake	Consequence	Prevention
1	No vendor inventory — you don't know who your vendors are	Can't assess what you don't know; shadow IT creates unmanaged risk	Start with procurement and AP records; conduct organisation-wide survey
2	Treating all vendors the same	Critical vendors get insufficient scrutiny; low-risk vendors waste resources	Implement a tiering model before starting assessments
3	Questionnaire fatigue — sending 200 questions to every vendor	Vendors ignore or rush through; you can't process the responses	Tier your questionnaires; accept SOC 2/ISO 27001 in lieu of questionnaires
4	Assessing once and forgetting	Vendor risk profile changes; new threats emerge; controls degrade	Implement continuous monitoring and scheduled reassessments
5	No contractual leverage	You identify risks but can't require the vendor to fix them	Negotiate security and compliance requirements into contracts before signing
6	Ignoring concentration risk	Multiple critical processes depend on one vendor (e.g., AWS)	Map dependencies; develop multi-cloud or fallback strategies for critical services
7	Not assessing sub-processors	Your vendor is compliant, but their sub-processor isn't	Require sub-processor disclosure; assess critical sub-processors
8	No offboarding process	Former vendor retains your data and access	Formal offboarding checklist; deletion certificates; access revocation verification
9	Paper compliance — collecting questionnaires but never acting on findings	Risk register grows but risk doesn't decrease	Assign remediation actions; track closure; escalate overdue items
10	Not involving procurement	Vendors onboarded without risk assessment; contracts signed without security clauses	Integrate TPRM into the procurement workflow; no contract without risk assessment

Vendor Tier	Standard Reassessment	Trigger-Based Reassessment
Tier 1 (Critical)	Annually	Immediately on breach, incident, or material change
Tier 2 (Important)	Every 1–2 years	On breach, contract renewal, or significant change
Tier 3 (Standard)	Every 2–3 years	On breach or contract renewal
Tier 4 (Low-risk)	Not scheduled	Only if risk profile changes

Vendor Risk Assessment: The Complete Third-Party Risk Management Guide (2026)

Key Takeaways

Share article

Need help with compliance?

Table of Contents

Why Vendor Risk Assessment Matters

The Numbers Tell the Story

The Regulatory Imperative

The 7 Domains of Vendor Risk

Vendor Tiering: Prioritising Your Assessments

Tiering Criteria

Tier Definitions

Example Tiering

The Vendor Risk Assessment Lifecycle

Phase 1: Vendor Inventory and Classification

Steps

The Vendor Register

Phase 2: Risk Assessment and Due Diligence

Assessment Methods by Tier

What to Review in a SOC 2 Report

Phase 3: Contractual Controls

Essential Contract Clauses by Risk Area

Phase 4: Ongoing Monitoring

Monitoring Activities

Triggers for Ad-Hoc Reassessment

Phase 5: Offboarding and Exit Management

Vendor Risk Scoring Methodology

Inherent Risk Score

Control Effectiveness Score

Residual Risk

Vendor Risk Assessment Questionnaire Template

Core Security Questions (All Tiers)

Additional Questions for Tier 1 (Critical Vendors)

Vendor Risk for Specific Regulations

GDPR (Article 28)

NIS2 (Article 21(2)(d))

DORA (Articles 28–30)

Building a TPRM Programme from Scratch

90-Day Implementation Plan

Resource Requirements

Common Vendor Risk Assessment Mistakes

Frequently Asked Questions

How many vendors does a typical organisation have?

Can I accept a SOC 2 report instead of sending a questionnaire?

How do I handle vendors that refuse to complete a questionnaire?

What's the difference between vendor risk assessment and vendor due diligence?

How do I prioritise vendor risk remediation?

Is vendor risk assessment required for ISO 27001?

How often should I reassess vendors?

What tools can automate vendor risk assessment?

Related Resources

Conclusion

Related Articles

Business Continuity Plan Template: Complete BCP Guide with Ready-to-Use Framework (2026)

Cyber Insurance Requirements: Complete Guide to Coverage, Controls, and Application (2026)

AI Risk Assessment: The Complete Framework for EU AI Act Compliance (2026)