A vendor risk assessment is the systematic process of identifying, evaluating, and managing the security, privacy, operational, and compliance risks that third-party vendors and service providers introduce to an organisation, a practice now mandated by regulations including GDPR, NIS2, and DORA.
Your organisation's security is only as strong as your weakest vendor. The 2023 MOVEit breach affected over 2,600 organisations — not because they were individually targeted, but because they all used the same file-transfer vendor. The 2020 SolarWinds attack compromised 18,000 organisations through a single supply chain vector. And under modern regulations, you are liable for your vendors' failures: GDPR holds controllers accountable for processor conduct, NIS2 mandates supply chain security, and DORA requires a comprehensive register of all ICT third-party providers.
Vendor risk assessment — the systematic process of evaluating, monitoring, and managing the risks that third-party relationships introduce to your organisation — is no longer optional. Whether you call it third-party risk management (TPRM), vendor risk management (VRM), or supply chain risk management, the goal is the same: understand the risks your vendors create and reduce them to acceptable levels.
This guide provides a complete, practical framework for building and operating a vendor risk assessment programme that satisfies regulatory requirements and genuinely protects your organisation.
| Quick Reference | Details |
|---|---|
| What is vendor risk assessment? | Systematic evaluation of risks introduced by third-party vendors, suppliers, and service providers |
| Other names | Third-party risk management (TPRM), vendor risk management (VRM), supply chain risk management |
| Key regulations | GDPR (Art. 28), NIS2 (Art. 21), DORA (Arts. 28–30), ISO 27001 (Annex A.5.19–5.23), SOC 2 |
| Primary risk categories | Security, privacy, operational, compliance, financial, reputational, strategic |
| Typical vendor tiering | Critical (Tier 1), Important (Tier 2), Standard (Tier 3), Low-risk (Tier 4) |
| Assessment frequency | Annual for critical vendors; biennial for important; triennial or event-driven for others |
| Key deliverables | Vendor register, risk assessments, tiering model, due diligence reports, ongoing monitoring |
Key Takeaways
- Vendor risk assessment is the process of identifying, evaluating, and mitigating risks that third-party vendors introduce to your organisation
- Modern regulations (GDPR, NIS2, DORA, PCI DSS 4.0) explicitly require organisations to assess and manage vendor/supply chain risks
- A vendor tiering model is essential — not all vendors deserve equal scrutiny; focus resources on critical and important vendors
- The assessment process covers 7 risk domains: security, privacy, operational, compliance, financial, reputational, and strategic
- Vendor questionnaires are the primary assessment tool, but should be supplemented with evidence review, certifications, and continuous monitoring
- Continuous monitoring is replacing point-in-time assessments — use security rating services, breach alerts, and financial monitoring to maintain visibility between formal reviews
- DORA introduces the most prescriptive vendor risk requirements in any EU regulation, including a mandatory Register of Information for all ICT third-party providers
- Building a vendor risk programme takes 3–6 months; maturing it into a continuous process takes 12–18 months
Table of Contents
- Why Vendor Risk Assessment Matters
- Regulatory Requirements for Vendor Risk
- The 7 Domains of Vendor Risk
- Vendor Tiering: Prioritising Your Assessments
- The Vendor Risk Assessment Lifecycle
- Phase 1: Vendor Inventory and Classification
- Phase 2: Risk Assessment and Due Diligence
- Phase 3: Contractual Controls
- Phase 4: Ongoing Monitoring
- Phase 5: Offboarding and Exit Management
- Vendor Risk Scoring Methodology
- Vendor Risk Assessment Questionnaire Template
- Vendor Risk for Specific Regulations
- Building a TPRM Programme from Scratch
- Common Vendor Risk Assessment Mistakes
- Frequently Asked Questions
- Related Resources
Why Vendor Risk Assessment Matters
The Numbers Tell the Story
| Statistic | Source |
|---|---|
| 62% of data breaches involve third-party vectors | Verizon 2025 DBIR |
| 98% of organisations have at least one vendor that has experienced a breach | SecurityScorecard |
| Average $4.88M cost of a data breach; third-party breaches cost 12% more | IBM Cost of a Data Breach 2025 |
| 54% of organisations don't assess third-party security before onboarding | Ponemon Institute |
| 73% of organisations experienced at least one supply chain disruption | BCI Supply Chain Resilience Report |
The Regulatory Imperative
It's not just about risk — it's about the law:
- GDPR Article 28 requires controllers to use only processors that provide "sufficient guarantees" and to have a binding data processing agreement
- NIS2 Article 21(2)(d) explicitly mandates "supply chain security" as part of cybersecurity risk management
- DORA Articles 28–30 create the most prescriptive ICT third-party risk management requirements of any EU regulation
- ISO 27001 Annex A.5.19–5.23 dedicates five controls to supplier relationship security
- SOC 2 Trust Services Criteria require risk assessment of subservice organisations
- PCI DSS 4.0 Requirement 12.8 mandates a programme for managing third-party service providers
The 7 Domains of Vendor Risk
A comprehensive vendor risk assessment covers seven domains:
| Domain | What You're Assessing | Example Risks |
|---|---|---|
| 1. Security | Vendor's cybersecurity controls, incident management, access controls | Data breach, ransomware, unauthorised access to your data |
| 2. Privacy | How the vendor handles personal data; compliance with data protection laws | GDPR violation through vendor; unauthorised data sharing; inadequate DPA |
| 3. Operational | Vendor's ability to deliver services reliably; business continuity | Service outage, vendor bankruptcy, key person dependency |
| 4. Compliance | Vendor's adherence to regulations, standards, and contractual obligations | Vendor non-compliance creating liability for you; audit failures |
| 5. Financial | Vendor's financial stability and viability | Vendor insolvency; cost increases; contract disputes |
| 6. Reputational | Vendor's public image and conduct; potential for negative association | Vendor involved in scandal, ethical violations, or public controversy |
| 7. Strategic | Vendor lock-in, concentration risk, alignment with your business strategy | Over-dependence on single vendor; inability to switch; misaligned roadmaps |
Vendor Tiering: Prioritising Your Assessments
Not every vendor needs the same level of scrutiny. A vendor tiering model ensures you allocate assessment resources proportionally to risk.
Tiering Criteria
| Factor | Weight | How to Assess |
|---|---|---|
| Data access | High | Does the vendor access, process, or store your data (especially personal or sensitive data)? |
| System access | High | Does the vendor have access to your IT systems, networks, or infrastructure? |
| Business criticality | High | Would a vendor failure significantly impact your operations? |
| Regulatory exposure | Medium | Does the vendor relationship create regulatory compliance obligations? |
| Replaceability | Medium | How easily could you replace the vendor? (Lower replaceability = higher risk) |
| Financial exposure | Medium | What is the financial value of the relationship? |
| Data volume | Medium | How much data does the vendor process? |
Tier Definitions
| Tier | Name | Criteria | Assessment Depth | Frequency |
|---|---|---|---|---|
| Tier 1 | Critical | Accesses sensitive data AND/OR provides business-critical services; failure would severely impact operations | Full due diligence, onsite/virtual assessment, evidence review | Annual |
| Tier 2 | Important | Accesses some data OR provides important (but not critical) services | Detailed questionnaire + evidence review | Annual or biennial |
| Tier 3 | Standard | Limited data access; provides standard services; easily replaceable | Standard questionnaire | Biennial or triennial |
| Tier 4 | Low-risk | No data access; no system access; commodity services | Simplified check or self-certification | Event-driven only |
Example Tiering
| Vendor | Tier | Reasoning |
|---|---|---|
| Cloud hosting provider (AWS, Azure) | Tier 1 | Stores all production data; total dependency; high regulatory exposure |
| HR/payroll SaaS platform | Tier 1 | Processes employee personal data including financial data; business-critical |
| CRM platform (Salesforce, HubSpot) | Tier 1 | Stores customer data; critical to sales operations |
| External penetration testing firm | Tier 2 | Accesses systems during testing; limited scope and duration |
| Marketing email platform | Tier 2 | Processes customer email addresses; important but replaceable |
| Office cleaning service | Tier 4 | No data or system access; commodity service |
| Office furniture supplier | Tier 4 | No ongoing relationship; no risk exposure |
The Vendor Risk Assessment Lifecycle
┌─────────────────────────────────────────────────┐
│ VENDOR RISK ASSESSMENT LIFECYCLE │
│ │
│ Phase 1: Inventory & Classification │
│ ↓ │
│ Phase 2: Risk Assessment & Due Diligence │
│ ↓ │
│ Phase 3: Contractual Controls │
│ ↓ │
│ Phase 4: Ongoing Monitoring │
│ ↓ │
│ Phase 5: Offboarding & Exit Management │
│ ↓ │
│ [Loop back to Phase 1 for new vendors │
│ and Phase 2/4 for reassessment cycle] │
└─────────────────────────────────────────────────┘
Phase 1: Vendor Inventory and Classification
Before you can assess risks, you need to know who your vendors are.
Steps
| Step | Activity | Deliverable |
|---|---|---|
| 1.1 | Identify all third-party relationships (procurement records, AP invoices, contract database, IT asset inventory) | Complete vendor list |
| 1.2 | Classify each vendor by type (SaaS, on-premise software, professional services, outsourced operations, etc.) | Categorised vendor register |
| 1.3 | Document what data each vendor accesses, processes, or stores | Data mapping per vendor |
| 1.4 | Document what systems each vendor accesses | System access inventory |
| 1.5 | Apply the tiering model to assign each vendor a tier | Tiered vendor register |
| 1.6 | Identify vendor owners (the internal person responsible for each vendor relationship) | Vendor ownership assignments |
The Vendor Register
Your vendor register should include at minimum:
| Field | Description |
|---|---|
| Vendor name | Legal entity name |
| Primary contact | Vendor's account manager or security contact |
| Internal owner | Who in your organisation owns this vendor relationship |
| Service description | What the vendor provides |
| Tier | Critical / Important / Standard / Low-risk |
| Data types accessed | Personal data categories, sensitive data, financial data, etc. |
| System access | What systems the vendor can access |
| Contract dates | Start date, renewal date, termination notice period |
| DPA in place? | Yes/No (with date) |
| Last assessment date | Date of most recent risk assessment |
| Next assessment due | Date of next scheduled assessment |
| Risk score | Current risk rating |
Phase 2: Risk Assessment and Due Diligence
Assessment Methods by Tier
| Method | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
| Vendor questionnaire | Comprehensive (150+ questions) | Detailed (80–120 questions) | Standard (30–50 questions) | Not required |
| Evidence review (policies, certifications, audit reports) | Yes — review key documents | Yes — review certifications | Certifications only | Not required |
| SOC 2 / ISO 27001 report review | Yes — read full report including exceptions | Yes — review summary and exceptions | Accept certificate as evidence | Not required |
| On-site or virtual assessment | Recommended for top-10 critical vendors | Optional | No | No |
| Security rating service (BitSight, SecurityScorecard) | Yes — continuous | Yes — periodic | Optional | No |
| Financial health check (D&B, credit reports) | Yes — annual | Yes — at onboarding | Optional | No |
| Penetration test results | Request if available | Request if available | No | No |
What to Review in a SOC 2 Report
Many vendors will provide a SOC 2 Type II report instead of answering a questionnaire. Here's what to check:
| Section | What to Look For |
|---|---|
| Opinion | Unqualified ("clean") opinion — any qualifications are red flags |
| Description of the system | Does it match what the vendor provides to you? |
| Controls tested | Do they cover security, availability, confidentiality as relevant? |
| Exceptions and deficiencies | Any noted deficiencies; how were they remediated? |
| Subservice organisations | Are the vendor's own vendors (subprocessors) included or excluded? |
| Complementary User Entity Controls (CUECs) | Controls that you need to implement for the vendor's controls to work |
| Report period | Is the report current (within the last 12 months)? |
Phase 3: Contractual Controls
Risk assessments identify risks; contracts mitigate them. Every vendor relationship should have appropriate contractual protections:
Essential Contract Clauses by Risk Area
| Clause | Purpose | Required For |
|---|---|---|
| Data Processing Agreement (DPA) | GDPR Article 28 compliance; defines processing scope, obligations, sub-processors | Any vendor processing personal data |
| Security requirements | Minimum security standards, controls, certifications the vendor must maintain | Tier 1 and Tier 2 vendors |
| Incident notification | Vendor must notify you within defined timeframe (24–72 hours) of security incidents | All tiers accessing data |
| Audit rights | Right to audit the vendor's security controls and compliance | Tier 1 and Tier 2 |
| Sub-processor management | Notification of new sub-processors; right to object | Any vendor processing personal data |
| Data return and deletion | At termination, vendor must return/delete all your data in defined format and timeframe | All tiers handling your data |
| Business continuity | Vendor must maintain BCP/DR plans and test them | Tier 1 |
| Insurance | Minimum cyber insurance coverage | Tier 1 and Tier 2 |
| Termination rights | Right to terminate for material breach, including security or compliance failures | All tiers |
| Liability and indemnification | Appropriate liability caps and indemnification for vendor-caused breaches | All tiers (proportional) |
| SLA and performance | Service levels, uptime guarantees, response times | Tier 1 and Tier 2 |
Phase 4: Ongoing Monitoring
Point-in-time assessments are necessary but insufficient. Continuous monitoring closes the gap between annual reviews.
Monitoring Activities
| Activity | Frequency | Source |
|---|---|---|
| Security rating monitoring | Continuous (automated) | BitSight, SecurityScorecard, UpGuard, RiskRecon |
| Breach and incident alerts | Continuous (automated) | News alerts, vendor notifications, dark web monitoring |
| Financial health monitoring | Quarterly | Dun & Bradstreet, credit reporting agencies |
| Certification expiry tracking | At expiry dates | Vendor register; calendar reminders |
| Contract renewal review | Before each renewal | Contract management system |
| Sub-processor change monitoring | As notified | Vendor DPA notification obligations |
| Performance review | Quarterly (Tier 1), semi-annually (Tier 2) | SLA reports, incident logs, support metrics |
| Regulatory change impact | Continuous | Regulatory monitoring (NIS2, DORA changes affecting vendors) |
| Full reassessment | Annual (Tier 1), biennial (Tier 2), triennial (Tier 3) | Questionnaire + evidence review cycle |
Triggers for Ad-Hoc Reassessment
Reassess a vendor immediately when:
- Vendor experiences a data breach or security incident
- Vendor's financial rating drops significantly
- Vendor is acquired by or merged with another entity
- Vendor changes its sub-processors in a way that affects your data
- Your use of the vendor's services changes materially
- A new regulation applies to the vendor relationship
- Vendor fails to meet SLA commitments repeatedly
Phase 5: Offboarding and Exit Management
Vendor offboarding is the most commonly neglected phase. When a vendor relationship ends:
| Step | Activity | Verification |
|---|---|---|
| 1 | Revoke all access — system credentials, VPN accounts, API keys, physical access | Confirm in IAM and access logs |
| 2 | Data return — obtain all your data in the agreed format | Verify completeness against data inventory |
| 3 | Data deletion — vendor certifies deletion of all your data (including backups) | Obtain written deletion certificate |
| 4 | Knowledge transfer — document any vendor-specific knowledge needed for transition | Transition documentation complete |
| 5 | Update vendor register — mark vendor as offboarded; retain assessment records per retention policy | Register updated |
| 6 | Lessons learned — document what worked and what didn't for future vendor relationships | Post-vendor review notes |
Vendor Risk Scoring Methodology
Inherent Risk Score
Assess the inherent risk of the vendor relationship (before considering the vendor's controls):
| Factor | Low (1) | Medium (2) | High (3) | Critical (4) |
|---|---|---|---|---|
| Data sensitivity | No personal data | Basic personal data | Sensitive/special category data | Large-scale sensitive data |
| System access | No access | Limited/read-only access | Admin or write access | Root/infrastructure access |
| Business criticality | Not critical; easily replaced | Important but replaceable within days | Critical; replacement takes weeks | Mission-critical; no alternative |
| Regulatory exposure | No regulatory implication | Minor regulatory touchpoint | Significant regulatory requirement | Subject to specific regulation (DORA, PCI) |
| Data volume | Minimal | Moderate | Significant | Very large scale |
Inherent risk score = Sum of all factors (range: 5–20)
| Score | Inherent Risk Level |
|---|---|
| 5–8 | Low |
| 9–12 | Medium |
| 13–16 | High |
| 17–20 | Critical |
Control Effectiveness Score
Assess how well the vendor's controls mitigate the inherent risk:
| Factor | Strong (1) | Adequate (2) | Weak (3) | Absent (4) |
|---|---|---|---|---|
| Security certifications | ISO 27001 + SOC 2 current | One certification current | Certification in progress | No relevant certifications |
| Security controls | Comprehensive, evidence-based | Adequate based on questionnaire | Gaps identified | Major gaps or unknown |
| Incident management | Tested IR plan; notified within 24 hrs | IR plan exists; notification defined | IR plan unclear; notification vague | No IR plan or notification commitment |
| Privacy controls | DPA in place; privacy programme mature | DPA in place; basic privacy controls | DPA incomplete or unsigned | No DPA; no privacy controls |
| Business continuity | Tested BCP/DR; RTO/RPO defined | BCP/DR exists; testing unclear | Plans exist but outdated | No BCP/DR plans |
Control effectiveness score = Sum of all factors (range: 5–20)
Residual Risk
Residual risk = Inherent risk level modified by control effectiveness:
| Inherent Risk | Strong Controls | Adequate Controls | Weak Controls | Absent Controls |
|---|---|---|---|---|
| Critical | High | High | Critical | Critical |
| High | Medium | High | High | Critical |
| Medium | Low | Medium | High | High |
| Low | Low | Low | Medium | High |
Vendor Risk Assessment Questionnaire Template
Core Security Questions (All Tiers)
| # | Question | Expected Evidence |
|---|---|---|
| 1 | Do you hold ISO 27001 certification? If so, provide the certificate. | ISO 27001 certificate (current) |
| 2 | Do you have a SOC 2 Type II report? If so, provide the most recent report. | SOC 2 report (within 12 months) |
| 3 | Describe your data encryption approach (at rest and in transit). | Encryption standards (AES-256, TLS 1.2+) |
| 4 | How do you manage access control and authentication for systems that store our data? | MFA, RBAC, privileged access management |
| 5 | Describe your incident response process and notification timelines. | IR plan; notification SLA (≤72 hours) |
| 6 | How do you manage vulnerabilities? What is your patching cadence? | Vulnerability management policy; patch SLA |
| 7 | Do you conduct regular penetration testing? Provide the most recent summary. | Annual pentest report (remediation status) |
| 8 | Where is our data stored (geographic locations and data centres)? | Data centre locations; EU/EEA confirmation |
| 9 | Do you use sub-processors? If so, list them and describe their role. | Sub-processor list with data flows |
| 10 | Describe your business continuity and disaster recovery capabilities. | BCP/DR plans; RTO/RPO; test results |
Additional Questions for Tier 1 (Critical Vendors)
| # | Question | Expected Evidence |
|---|---|---|
| 11 | Provide your information security policy. | Written policy (current) |
| 12 | Describe your employee security awareness training programme. | Training records; programme description |
| 13 | How do you manage third-party/supply chain risk for your own vendors? | TPRM programme description |
| 14 | Describe your logging and monitoring capabilities. | SIEM; log retention; alert thresholds |
| 15 | What is your data retention and deletion process? | Retention schedule; deletion procedures |
| 16 | Describe your change management process. | Change management policy |
| 17 | Do you have cyber insurance? What is the coverage amount? | Insurance certificate |
| 18 | Have you experienced a data breach or security incident in the last 3 years? | Incident disclosure; remediation summary |
| 19 | Describe your secure development lifecycle (if providing software). | SDLC documentation; code review process |
| 20 | How do you handle data subject access requests and other GDPR rights? | DSAR process documentation |
Vendor Risk for Specific Regulations
GDPR (Article 28)
| Requirement | What It Means for Vendor Risk |
|---|---|
| Sufficient guarantees | You must assess that the vendor provides sufficient technical and organisational measures |
| Written DPA | Binding contract/DPA covering all Article 28(3) requirements |
| Sub-processor management | Vendor must get your authorisation for sub-processors; equivalent DPA requirements flow down |
| Audit rights | You must have the right to audit or have audits conducted |
| Data deletion/return | Vendor must delete or return all personal data at end of engagement |
| International transfers | If vendor transfers data outside EU, appropriate safeguards (SCCs, adequacy decisions) |
NIS2 (Article 21(2)(d))
| Requirement | What It Means for Vendor Risk |
|---|---|
| Supply chain security | Assess security of direct suppliers and service providers |
| Vulnerabilities specific to each supplier | Understand each vendor's risk profile individually |
| Overall quality of products/services | Evaluate cybersecurity practices of suppliers |
| Coordinated risk assessments | Participate in EU-level coordinated supply chain risk assessments where applicable |
DORA (Articles 28–30)
| Requirement | What It Means for Vendor Risk |
|---|---|
| ICT third-party risk management | Comprehensive framework for managing all ICT third-party providers |
| Register of Information | Maintain a complete register of all ICT third-party arrangements (submitted to regulator) |
| Pre-contracting assessment | Assess risks before entering ICT third-party arrangements |
| Key contractual provisions | Specific mandatory clauses in ICT service contracts |
| Concentration risk | Assess whether critical functions depend on too few providers |
| Exit strategies | Mandatory exit strategies for critical ICT third-party providers |
| Critical TPP oversight | EU-level oversight framework for critical ICT third-party providers |
Building a TPRM Programme from Scratch
90-Day Implementation Plan
| Phase | Timeframe | Activities | Deliverables |
|---|---|---|---|
| Discovery | Days 1–20 | Vendor inventory; data mapping; initial classification; stakeholder alignment | Complete vendor list; initial tiering |
| Framework | Days 21–40 | Tiering model; questionnaire templates; risk scoring methodology; policy development | TPRM policy; assessment templates; scoring model |
| Priority Assessments | Days 41–70 | Assess Tier 1 vendors; review existing contracts; identify gaps | Tier 1 risk assessments; contract gap analysis |
| Programme Launch | Days 71–90 | Onboarding process; monitoring setup; training; Tier 2 assessments begin | Onboarding workflow; monitoring dashboards; training materials |
Resource Requirements
| Company Size | Recommended Resources |
|---|---|
| Small (50–200 employees, 20–50 vendors) | 0.5 FTE dedicated to TPRM; GRC tool or spreadsheet |
| Medium (200–1,000 employees, 50–200 vendors) | 1–2 FTE; dedicated TPRM platform |
| Large (1,000+ employees, 200+ vendors) | 3–5 FTE; enterprise TPRM platform; security rating service |
Common Vendor Risk Assessment Mistakes
| # | Mistake | Consequence | Prevention |
|---|---|---|---|
| 1 | No vendor inventory — you don't know who your vendors are | Can't assess what you don't know; shadow IT creates unmanaged risk | Start with procurement and AP records; conduct organisation-wide survey |
| 2 | Treating all vendors the same | Critical vendors get insufficient scrutiny; low-risk vendors waste resources | Implement a tiering model before starting assessments |
| 3 | Questionnaire fatigue — sending 200 questions to every vendor | Vendors ignore or rush through; you can't process the responses | Tier your questionnaires; accept SOC 2/ISO 27001 in lieu of questionnaires |
| 4 | Assessing once and forgetting | Vendor risk profile changes; new threats emerge; controls degrade | Implement continuous monitoring and scheduled reassessments |
| 5 | No contractual leverage | You identify risks but can't require the vendor to fix them | Negotiate security and compliance requirements into contracts before signing |
| 6 | Ignoring concentration risk | Multiple critical processes depend on one vendor (e.g., AWS) | Map dependencies; develop multi-cloud or fallback strategies for critical services |
| 7 | Not assessing sub-processors | Your vendor is compliant, but their sub-processor isn't | Require sub-processor disclosure; assess critical sub-processors |
| 8 | No offboarding process | Former vendor retains your data and access | Formal offboarding checklist; deletion certificates; access revocation verification |
| 9 | Paper compliance — collecting questionnaires but never acting on findings | Risk register grows but risk doesn't decrease | Assign remediation actions; track closure; escalate overdue items |
| 10 | Not involving procurement | Vendors onboarded without risk assessment; contracts signed without security clauses | Integrate TPRM into the procurement workflow; no contract without risk assessment |
Frequently Asked Questions
How many vendors does a typical organisation have?
Most mid-sized organisations have 100–500 third-party relationships, though many discover significantly more once shadow IT and departmental purchases are included. A Fortune 500 company may have 5,000–15,000 vendor relationships. The key is not to assess every vendor equally — use tiering to focus on the 20–30 vendors that create 80% of your risk.
Can I accept a SOC 2 report instead of sending a questionnaire?
Yes, and for many vendors this is the most efficient approach. A SOC 2 Type II report provides independent auditor assurance over the vendor's controls. However, you should still review the report carefully (check opinion, exceptions, CUECs, and scope) and supplement it with vendor-specific questions about data handling, sub-processors, and your specific concerns.
How do I handle vendors that refuse to complete a questionnaire?
This happens regularly, especially with large vendors (think Google, Microsoft, Salesforce). Options include: (1) accept their SOC 2/ISO 27001 reports plus public documentation, (2) use security rating services for external assessment, (3) review their trust/security pages and DPA, (4) for critical vendors where alternatives exist, consider switching to a more cooperative vendor. Document your assessment approach for each vendor that doesn't complete a full questionnaire.
What's the difference between vendor risk assessment and vendor due diligence?
Vendor risk assessment is the ongoing process of evaluating and monitoring vendor risk throughout the relationship lifecycle. Vendor due diligence typically refers to the initial pre-engagement evaluation. In practice, the terms are often used interchangeably, but a mature programme includes both: initial due diligence before onboarding and periodic risk reassessment throughout the relationship.
How do I prioritise vendor risk remediation?
Prioritise based on: (1) severity of the identified risk, (2) vendor tier (critical vendors first), (3) regulatory exposure (risks that create compliance violations), (4) exploitability (risks that are actively exploited in the wild), and (5) remediation effort (quick wins first to build momentum). Create a risk treatment plan with specific actions, owners, and deadlines.
Is vendor risk assessment required for ISO 27001?
Yes. ISO 27001:2022 includes five Annex A controls specifically for supplier relationships: A.5.19 (Information security in supplier relationships), A.5.20 (Addressing security within supplier agreements), A.5.21 (Managing security in the ICT supply chain), A.5.22 (Monitoring and review of supplier services), and A.5.23 (Information security for use of cloud services). A certification audit will verify your supplier risk management process.
How often should I reassess vendors?
| Vendor Tier | Standard Reassessment | Trigger-Based Reassessment |
|---|---|---|
| Tier 1 (Critical) | Annually | Immediately on breach, incident, or material change |
| Tier 2 (Important) | Every 1–2 years | On breach, contract renewal, or significant change |
| Tier 3 (Standard) | Every 2–3 years | On breach or contract renewal |
| Tier 4 (Low-risk) | Not scheduled | Only if risk profile changes |
What tools can automate vendor risk assessment?
The market includes dedicated TPRM platforms (OneTrust, Prevalent, ProcessUnity, Vanta), security rating services (BitSight, SecurityScorecard, UpGuard, RiskRecon), and GRC platforms with vendor modules (ServiceNow GRC, Archer, LogicGate). For small organisations, a well-structured spreadsheet with standardised questionnaires can work for the first 1–2 years.
Related Resources
- ISO 27001 Implementation Guide — ISO 27001 Annex A controls for supplier relationships
- NIS2 Directive Complete Guide — NIS2 supply chain security requirements
- DORA Compliance Guide — DORA's ICT third-party risk management framework
- GDPR Compliance Guide — GDPR Article 28 processor requirements and DPAs
Related Articles
- Outsourcing Compliance Guide — External compliance officers and outsourced services
- Virtual CISO Services Guide — Fractional CISO engagements and CISOaaS explained
- Standard Contractual Clauses (SCCs) Guide — GDPR-compliant international data transfers explained
Conclusion
Vendor risk assessment is not a checkbox exercise — it's a continuous programme that protects your organisation from the growing threat of supply chain attacks, vendor failures, and regulatory non-compliance. The organisations that get this right build a systematic process: know your vendors, tier them by risk, assess the critical ones deeply, contract for security, monitor continuously, and offboard cleanly.
Start with your vendor inventory. Tier your vendors. Assess your Tier 1 vendors first. Build from there.
Need help with vendor risk management? Vision Compliance builds third-party risk management programmes from scratch — vendor inventories, tiering models, assessment questionnaires, and ongoing monitoring frameworks. Whether you're preparing for NIS2, DORA, or ISO 27001, we'll help you get your supply chain risk under control. Schedule a free consultation →
Sources: Verizon 2025 DBIR, IBM Cost of a Data Breach Report 2025, GDPR (Regulation 2016/679), NIS2 Directive (EU 2022/2555), DORA (EU 2022/2554), ISO 27001:2022, PCI DSS 4.0, EDPB Guidelines on Data Processing Agreements
Ivana Ludiga, mag. iur., is an Associate at Vision Compliance focused on data protection, GDPR implementation, and regulatory advisory. She supports compliance projects for organizations across healthcare, financial services, and technology sectors.