A vendor risk assessment template is a standardised document that organisations use to evaluate the security, privacy, operational, and compliance posture of third-party vendors before and during the business relationship, ensuring alignment with GDPR Article 28, NIS2 supply chain security requirements, and DORA ICT third-party risk management obligations.
Regulatory enforcement has made vendor risk assessment non-negotiable. GDPR requires controllers to use only processors providing "sufficient guarantees." NIS2 explicitly mandates supply chain security measures. DORA creates the most prescriptive third-party ICT risk requirements in any EU regulation. Yet according to the Ponemon Institute, 54% of organisations still onboard vendors without a formal security assessment, and 62% of data breaches involve third-party vectors (Verizon 2025 DBIR).
The template below is designed to be copied, customised, and put into operational use. Every section includes structured evaluation criteria, fill-in-the-blank fields, and scoring guidance. Replace [ORGANISATION] with your company name, adapt the risk tiers to your vendor landscape, and add any sector-specific requirements that apply.
For a comprehensive explanation of vendor risk concepts, lifecycle management, tiering methodology, and programme-building guidance, see the Vendor Risk Assessment Guide. This article is the template itself.
Quick Reference
Details
What is this?
A ready-to-use vendor risk assessment template with five sections and 80+ evaluation questions
What regulations does it cover?
GDPR (Art. 28), NIS2 (Art. 21(2)(d)), DORA (Arts. 28-30), ISO 27001 (A.5.19-5.23)
Who needs this?
DPOs, CISOs, compliance officers, procurement teams, vendor managers, any organisation onboarding third-party service providers
What is included?
Vendor classification matrix, pre-engagement questionnaire (80+ questions across 6 categories), risk scoring methodology, ongoing monitoring checklist, and contract requirements checklist
How to use it
Copy each section, replace all [PLACEHOLDER] fields, score vendor responses using the risk matrix, and attach completed assessments to your vendor register
Estimated customisation time
1-2 hours for initial customisation; 30-60 minutes per vendor assessment
Key Takeaways
This template provides a with 80+ evaluation questions covering data protection, security, business continuity, compliance, and financial stability
Share article
Need help with compliance?
Contact us for a free consultation
complete, copy-ready vendor risk assessment
Built-in GDPR Article 28 compliance with questions verifying processor guarantees, DPA requirements, sub-processor management, and international data transfer safeguards
Built-in NIS2 Article 21(2)(d) supply chain security assessment covering cybersecurity practices, vulnerability management, and incident response capabilities of vendors
Built-in DORA Articles 28-30 evaluation criteria for ICT third-party risk, including concentration risk, exit strategies, and register of information requirements
Four-tier vendor classification (Critical, High, Medium, Low) with defined assessment depth, frequency, and approval levels for each tier
Risk scoring matrix with quantitative methodology: inherent risk, control effectiveness, and residual risk calculation with clear acceptance thresholds
Organisations with a formal third-party risk management programme experience 40% fewer supply chain breaches and meet regulatory audit requirements at significantly higher rates (Gartner 2025)
Every third-party relationship creates risk. The question is whether you measure and manage that risk, or whether you discover it during a breach.
Statistic
Source
62% of data breaches involve third-party vectors
Verizon 2025 DBIR
$4.88M average cost per breach; supply chain breaches cost 12% more
IBM Cost of a Data Breach 2025
98% of organisations have a vendor that has experienced a breach
SecurityScorecard 2025
54% of organisations do not assess vendor security before onboarding
Ponemon Institute 2025
EUR 4.2B in GDPR fines issued in 2025; inadequate processor oversight consistently cited
DLA Piper GDPR Fines Survey 2026
The 2023 MOVEit breach compromised over 2,600 organisations through a single file-transfer vendor. The SolarWinds attack affected 18,000 organisations via one supply chain vector. Under current EU regulation, your organisation bears liability for vendor failures: GDPR holds controllers accountable for processor conduct, NIS2 mandates supply chain risk management, and DORA requires financial entities to maintain a register of all ICT third-party providers.
A structured vendor risk assessment template ensures consistency across all vendor evaluations, captures the evidence regulators expect, and makes the process repeatable rather than ad hoc.
Regulatory Requirements for Vendor Management
Before customising the template, understand which regulations apply to your vendor relationships. The table below summarises the vendor management requirements of the four most relevant EU frameworks.
Regulation
Key Articles
Vendor Management Requirement
What You Must Demonstrate
GDPR
Article 28
Use only processors providing "sufficient guarantees" of appropriate technical and organisational measures
Documented assessment of processor security; binding DPA with all Article 28(3) provisions; sub-processor authorisation and equivalent controls; audit rights exercised or available
NIS2
Article 21(2)(d)
Supply chain security including security-related aspects of relationships with direct suppliers and service providers
Assessment of vulnerabilities specific to each supplier; evaluation of overall quality of cybersecurity practices; coordinated risk assessments where applicable
Pre-contracting risk assessment; mandatory contract clauses; Register of Information for all ICT arrangements; concentration risk analysis; exit strategies for critical providers
ISO 27001
Annex A.5.19-5.23
Five dedicated controls for supplier relationship security
Supplier information security policy (5.19); security requirements in agreements (5.20); ICT supply chain security (5.21); monitoring and review (5.22); cloud service security (5.23)
For organisations subject to multiple frameworks (common for financial institutions under both GDPR and DORA, or NIS2 entities processing personal data), the vendor risk assessment must satisfy the most stringent applicable requirements. This template is designed to cover all four frameworks simultaneously. For a deep dive into each regulation, see the DORA Compliance Guide and the NIS2 Complete Guide.
Template Section 1: Vendor Classification
Before conducting a full assessment, classify the vendor to determine the appropriate assessment depth, frequency, and approval level.
VENDOR RISK ASSESSMENT
Document Owner:[DPO NAME / CISO NAME / VENDOR RISK MANAGER]Version:[1.0]Date:[DATE]Next Review Date:[DATE + 12 MONTHS]Classification: Confidential
1.1 Vendor Information
Field
Details
Vendor Name
[VENDOR NAME]
Legal Entity
[FULL LEGAL ENTITY NAME AND REGISTRATION NUMBER]
Jurisdiction
[COUNTRY OF INCORPORATION]
Service Description
[DESCRIPTION OF SERVICES PROVIDED TO ORGANISATION]
Internal Owner
[NAME AND DEPARTMENT OF INTERNAL VENDOR OWNER]
Contract Start Date
[DATE]
Contract Renewal Date
[DATE]
Annual Contract Value
[AMOUNT]
1.2 Vendor Classification Criteria
Assess each factor below and assign the appropriate rating. The highest individual rating determines the overall vendor risk tier.
Factor
Critical
High
Medium
Low
Data sensitivity
Processes special category data (health, biometric, criminal records) or large-scale personal data (more than 100,000 records)
Processes personal data including financial or HR data
Processes basic personal data (names, emails, contact details)
No access to personal data
System access
Root or infrastructure-level access to production systems
Administrative or write access to systems containing sensitive data
Limited or read-only access to non-critical systems
No access to any systems
Business criticality
Failure would halt core business operations; no immediate alternative
Failure would significantly disrupt operations; replacement takes weeks
Failure would cause inconvenience; replacement takes days
Failure has negligible operational impact; easily replaced
Regulatory exposure
Subject to DORA, PCI DSS, or sector-specific regulation requiring formal vendor oversight
Directly implicated in GDPR or NIS2 compliance obligations
Minor regulatory touchpoint
No regulatory implication
Replaceability
Sole provider; proprietary systems; migration would take 6+ months
Limited alternatives; migration would take 1-6 months
Multiple alternatives; migration in weeks
Commodity service; immediate switching possible
1.3 Risk Tier Assignment
Tier
Name
Criteria
Assessment Depth
Frequency
Approval Level
Tier 1
Critical
Any factor rated "Critical" OR two or more factors rated "High"
Full questionnaire (all 80+ questions) with evidence review, SOC 2/ISO 27001 report review, and optional on-site assessment
Annual reassessment; continuous monitoring between assessments
Senior management or board-level approval required
Tier 2
High
Any factor rated "High" (without meeting Tier 1 criteria)
Detailed questionnaire (65+ questions) with evidence review and certification checks
Annual reassessment
Department head approval required
Tier 3
Medium
Highest factor rated "Medium"
Standard questionnaire (40 questions) with certification checks
This is the core of the template. Send the relevant sections to the vendor based on their assigned tier. Tier 1 vendors receive all six categories. Tier 4 vendors receive only Category A (Company Information) as a simplified self-certification.
For each question, record the vendor's response, the evidence provided, and your risk rating.
Category A: Company Information
All tiers. 12 questions.
#
Question
Expected Evidence
Risk Weight
A.1
Provide your full legal entity name, registration number, and registered address.
Certificate of incorporation or equivalent
Low
A.2
In which jurisdictions does your company operate? List all countries where you have offices, data centres, or employees.
Company overview document or website
Medium
A.3
Provide an organisational chart showing your executive team and reporting lines for security, privacy, and compliance functions.
Org chart or management overview
Low
A.4
Do you use sub-contractors or sub-processors to deliver any part of the services provided to us? If yes, list all sub-contractors, their location, and their role.
Sub-processor list with data flows
High
A.5
Describe any material litigation, regulatory enforcement actions, or sanctions against your company in the past 3 years.
Self-declaration; public records
Medium
A.6
Do you carry professional indemnity insurance? If yes, provide the coverage amount and insurer.
Insurance certificate
Medium
A.7
Do you carry cyber liability insurance? If yes, provide the coverage amount.
Cyber insurance certificate
Medium
A.8
What is your company's annual revenue and number of employees?
Self-declaration or public filing
Low
A.9
Describe any planned mergers, acquisitions, or significant corporate changes within the next 12 months that could affect service delivery.
Self-declaration
Medium
A.10
Provide your primary security, privacy, and account management contact details for our organisation.
Contact list
Low
A.11
Describe any dependencies on fourth parties (your vendors' vendors) that are critical to delivering services to us.
Fourth-party dependency map
Medium
A.12
What is your staff turnover rate for security and operations teams? Describe your knowledge transfer procedures for key personnel changes.
Self-declaration; KT procedures
Low
Category B: Data Protection and Privacy
Tier 1, Tier 2, and Tier 3. 17 questions.
#
Question
Expected Evidence
Risk Weight
B.1
Have you appointed a Data Protection Officer (DPO) or equivalent? Provide their name and contact details.
DPO appointment letter or contact details
High
B.2
What categories of personal data will you process on our behalf? Provide a complete list.
Data inventory or processing records (Article 30)
High
B.3
What is the lawful basis for each processing activity you perform on our behalf?
Record of processing activities
High
B.4
Where is our data stored geographically? List all locations including backup and disaster recovery sites.
Data centre locations with addresses
High
B.5
Do you transfer personal data outside the EU/EEA? If yes, describe the transfer mechanism (adequacy decision, Standard Contractual Clauses, Binding Corporate Rules) and provide the relevant documentation.
Provide your current Data Processing Agreement (DPA) template or confirm your willingness to execute our DPA.
DPA covering Article 28(3) requirements
High
B.7
Describe your process for handling data subject rights requests (access, rectification, erasure, portability, objection). What is your response time?
DSAR procedure document
High
B.8
Describe your data retention and deletion practices. How do you ensure data is securely deleted when no longer needed or upon contract termination?
Data retention policy; deletion procedures and certificates
High
B.9
Have you experienced a personal data breach in the past 3 years? If yes, describe the incident, affected data, root cause, and remediation measures taken.
Self-declaration; breach notification records if applicable
High
B.10
How do you ensure that your employees and sub-processors processing personal data are bound by confidentiality obligations?
Confidentiality agreements; employee training records
Medium
B.11
Do you conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities?
DPIA methodology and examples
Medium
B.12
How do you notify data controllers (us) in the event of a personal data breach? What is your notification timeline?
Breach notification procedure; contractual SLA (72 hours or fewer)
High
B.13
Do you process personal data for any purpose other than the services contracted with us?
Self-declaration; privacy policy
High
B.14
Describe how you manage consent records if applicable to the processing performed on our behalf.
Consent management process
Medium
B.15
Do you maintain records of processing activities as required by GDPR Article 30? Provide a copy or summary relevant to our engagement.
Article 30 register excerpt
Medium
B.16
Do you use automated decision-making or profiling when processing personal data on our behalf? If yes, describe the logic, significance, and safeguards.
Self-declaration; algorithmic impact assessment
High
B.17
Describe how you ensure data minimisation: that only the minimum necessary personal data is processed for the purposes of our engagement.
Data minimisation procedures; access restriction evidence
Medium
Category C: Information Security
Tier 1, Tier 2, and Tier 3. 20 questions.
#
Question
Expected Evidence
Risk Weight
C.1
Do you hold ISO 27001 certification? If yes, provide the current certificate including the scope and certification body.
ISO 27001 certificate (current, with scope statement)
High
C.2
Do you have a SOC 2 Type II report? If yes, provide the most recent report.
SOC 2 Type II report (within 12 months)
High
C.3
Provide your information security policy or a summary of its key provisions.
Written information security policy
High
C.4
Describe your data encryption approach, both at rest and in transit. Specify the algorithms and key lengths used.
How do you manage access control and authentication for systems that process or store our data? Do you enforce multi-factor authentication (MFA)?
Access control policy; MFA implementation details
High
C.6
Describe your privileged access management (PAM) procedures. How are administrative accounts controlled, monitored, and reviewed?
PAM policy; access review records
High
C.7
Describe your vulnerability management programme. How frequently do you scan for vulnerabilities, and what is your patching cadence for critical, high, medium, and low vulnerabilities?
Describe your incident response capabilities. Do you have a documented and tested incident response plan?
Incident response plan; tabletop exercise records
High
C.12
Describe your employee security awareness training programme. How frequently is training delivered, and is it mandatory for all staff?
Training programme description; completion records
Medium
C.13
Describe your secure software development lifecycle (SDLC) if you develop software that we use. Include code review, static/dynamic analysis, and dependency management practices.
Describe your data portability capabilities. In what formats can you export our data, and what is the process and timeline for a full data export?
Data export documentation; format specifications (CSV, JSON, API)
Medium
Category E: Regulatory Compliance
Tier 1 and Tier 2. 13 questions.
#
Question
Expected Evidence
Risk Weight
E.1
Are you subject to the NIS2 Directive? If yes, are you classified as an essential or important entity? Describe your compliance status.
NIS2 self-assessment or classification documentation
High
E.2
Are you subject to DORA? If yes, describe your ICT risk management framework and compliance status.
DORA compliance assessment or gap analysis
High
E.3
List all certifications, accreditations, and compliance attestations currently held (ISO 27001, SOC 2, ISO 22301, ISO 27701, PCI DSS, CSA STAR, etc.). Provide certificates with expiry dates.
Certificates with scope and validity dates
High
E.4
Do you grant audit rights to your clients? Describe the process, frequency, and any limitations on audit scope.
Contractual audit clause; audit process description
High
E.5
Have you been subject to any regulatory investigations, enforcement actions, or significant audit findings in the past 3 years?
Self-declaration; public records
High
E.6
Describe how you manage regulatory changes that affect the services you provide to us. How do you ensure ongoing compliance as regulations evolve?
Do you have a formal compliance programme or GRC function? Describe the reporting structure and scope.
Compliance programme overview; GRC function details
Medium
E.8
Do you maintain a register of ICT third-party arrangements as required by DORA Article 28?
Register of Information template or excerpt
High
E.9
How do you manage your own third-party/supply chain risk? Do you assess the security of your sub-processors and critical suppliers?
TPRM programme description; sub-processor assessment process
Medium
E.10
Are there any jurisdictional restrictions, government access requirements, or laws in your country of operation that could affect the confidentiality or availability of our data?
Legal analysis; jurisdictional risk assessment
High
E.11
Describe your approach to AI governance. If you use AI or machine learning in the services provided to us, how do you ensure compliance with the EU AI Act and maintain transparency?
AI governance policy; risk classification of AI systems
Medium
E.12
Do you participate in any industry information-sharing initiatives or ISACs (Information Sharing and Analysis Centres) relevant to cybersecurity threats?
Membership documentation; participation records
Low
E.13
Have you conducted a formal gap assessment against the NIS2 or DORA requirements applicable to your organisation? If yes, provide the assessment summary and remediation status.
Gap assessment report; remediation roadmap
High
Category F: Financial Stability
Tier 1 and Tier 2. 5 questions.
#
Question
Expected Evidence
Risk Weight
F.1
Provide your most recent audited financial statements or, if privately held, a summary of financial health indicators (revenue, profitability, debt levels).
Audited financial statements or financial summary
Medium
F.2
What is your current credit rating (if rated)? Have there been any significant changes in the past 12 months?
Credit report (D&B, Experian, or equivalent)
Medium
F.3
What percentage of your total revenue does our contract represent? (Assesses mutual dependency risk.)
Self-declaration
Low
F.4
Have you experienced any significant financial difficulties, restructuring, or changes of ownership in the past 3 years?
Self-declaration; public filings
Medium
F.5
What is the total value of your professional indemnity and cyber liability insurance coverage, and does it adequately cover the scope of services provided to us?
Insurance certificates with coverage details
Medium
Template Section 3: Risk Scoring Matrix
Use this methodology to convert vendor questionnaire responses into a quantitative risk score. Score each question, calculate category scores, and determine the overall vendor risk rating.
3.1 Individual Question Scoring
For each question in the questionnaire, score the vendor's response on a 1-4 scale:
Score
Rating
Criteria
1
Strong
Vendor fully meets the requirement with documented evidence. Controls are mature, tested, and independently verified (e.g., certified, audited).
2
Adequate
Vendor meets the requirement with reasonable evidence. Controls exist but may not be independently verified or may have minor gaps.
3
Weak
Vendor partially meets the requirement. Controls exist but have significant gaps, are untested, or lack supporting evidence.
4
Absent / Unacceptable
Vendor does not meet the requirement. No controls, no evidence, or the response raises serious concerns. Vendor refused to answer.
3.2 Category Risk Scores
Calculate the average score for each category, then weight it according to the category's importance:
Category
Number of Questions
Weight
Calculation
A. Company Information
12
10%
Average of A.1-A.12 scores x 0.10
B. Data Protection & Privacy
17
25%
Average of B.1-B.17 scores x 0.25
C. Information Security
20
25%
Average of C.1-C.20 scores x 0.25
D. Business Continuity
13
15%
Average of D.1-D.13 scores x 0.15
E. Regulatory Compliance
13
15%
Average of E.1-E.13 scores x 0.15
F. Financial Stability
5
10%
Average of F.1-F.5 scores x 0.10
Overall Vendor Risk Score = Sum of all weighted category scores (range: 1.00 - 4.00)
3.3 Overall Risk Rating
Score Range
Risk Rating
Meaning
1.00 - 1.50
Low Risk
Vendor meets or exceeds requirements across all categories. Approve engagement with standard monitoring.
1.51 - 2.00
Moderate Risk
Vendor meets most requirements with minor gaps. Approve engagement with noted remediation items and enhanced monitoring for gap areas.
2.01 - 2.50
High Risk
Vendor has significant gaps in one or more categories. Conditional approval only: require remediation plan with deadlines before or within 90 days of engagement. Senior management sign-off required.
2.51 - 3.00
Very High Risk
Vendor has serious deficiencies across multiple categories. Engagement not recommended. If business necessity requires proceeding, require executive-level risk acceptance, immediate remediation plan, and enhanced monitoring.
3.01 - 4.00
Unacceptable
Vendor fails to meet fundamental requirements. Do not engage. If an existing vendor reaches this score on reassessment, initiate exit planning.
3.4 Automatic Fail Criteria
Regardless of the overall score, the vendor assessment results in an automatic "Very High Risk" or "Unacceptable" rating if any of the following conditions exist:
Vendor refuses to sign a Data Processing Agreement (for any vendor processing personal data)
Vendor has no encryption for data at rest or in transit
Vendor transfers personal data outside the EU/EEA without an approved transfer mechanism
Vendor has experienced a significant unremediated data breach in the past 12 months
Vendor refuses to grant audit rights (for Tier 1 and Tier 2 vendors)
Vendor has no documented incident response capability
Vendor is subject to laws that could compel disclosure of your data without notification
3.5 Risk Assessment Summary
Field
Result
Vendor Name
[VENDOR NAME]
Assessment Date
[DATE]
Assessor
[NAME, ROLE]
Overall Risk Score
[SCORE]
Overall Risk Rating
[Low / Moderate / High / Very High / Unacceptable]
Automatic Fail Triggered?
[Yes / No] - If yes: [REASON]
Recommendation
[Approve / Approve with conditions / Do not engage / Initiate exit]
Conditions (if applicable)
[LIST REQUIRED REMEDIATION ITEMS AND DEADLINES]
Approved By
[NAME, ROLE, DATE]
Template Section 4: Ongoing Monitoring Checklist
Vendor risk assessment is not a one-time activity. Use this checklist to maintain continuous oversight of approved vendors. Frequency varies by vendor tier.
4.1 Quarterly Monitoring (Tier 1 vendors)
SLA performance review: Review uptime, response times, and service quality against contracted SLAs. Document any breaches. Last reviewed: [DATE]
Incident review: Check whether the vendor reported any security incidents, near-misses, or breaches since the last review. Last reviewed: [DATE]
Sub-processor changes: Confirm whether the vendor has added, removed, or changed any sub-processors. Review notifications received. Last reviewed: [DATE]
Security rating check: Review the vendor's external security rating (BitSight, SecurityScorecard, or equivalent). Note any score changes. Current score: [SCORE] Last checked: [DATE]
Financial health check: Review any changes in the vendor's financial stability (credit rating, news, M&A activity). Last reviewed: [DATE]
Regulatory update: Check for any regulatory enforcement actions, fines, or sanctions involving the vendor. Last reviewed: [DATE]
4.2 Annual Review (Tier 1 and Tier 2 vendors)
Full reassessment: Conduct a complete reassessment using the pre-engagement questionnaire (Section 2). Last completed: [DATE] Next due: [DATE]
Certification validity: Verify that ISO 27001, SOC 2, and other certifications remain current and in scope. Certificates expire: [DATES]
DPA review: Confirm the Data Processing Agreement remains current, reflects the actual processing activities, and includes any required updates (e.g., new sub-processors, scope changes). Last reviewed: [DATE]
Contract review: Review contract terms ahead of renewal. Assess whether security, audit, and compliance clauses are adequate. Renewal date: [DATE]
Penetration test results: Request the vendor's most recent penetration test summary and remediation status (Tier 1). Last reviewed: [DATE]
Business continuity test results: Request evidence that the vendor has tested their BCP/DR plans within the past 12 months (Tier 1). Last reviewed: [DATE]
Risk score recalculation: Recalculate the vendor's risk score using updated assessment data. Previous score: [SCORE] Updated score: [SCORE]
4.3 Event-Driven Reviews (All tiers)
Trigger an immediate vendor review when any of the following events occur:
Vendor experiences a data breach or security incident
Vendor's credit rating or financial health deteriorates significantly
Vendor is acquired by, merged with, or sells a division to another entity
Vendor changes sub-processors in a way that affects your data
Your use of the vendor's services changes materially (new data types, increased volume, new system access)
New regulation applies to the vendor relationship (e.g., vendor now subject to NIS2 or DORA)
Vendor fails to meet SLA commitments for two or more consecutive periods
Vendor's key certification (ISO 27001, SOC 2) expires or is withdrawn
Media reports raise concerns about the vendor's security, ethics, or stability
Use this checklist to verify that vendor contracts include all required security, privacy, and compliance provisions. Review before signing any new vendor agreement and at each contract renewal.
5.1 Data Protection Clauses
Data Processing Agreement (DPA) executed with all GDPR Article 28(3) provisions:
Subject matter, duration, nature, and purpose of processing defined
Types of personal data and categories of data subjects specified
Obligations and rights of the controller documented
Vendor processes data only on documented instructions from the controller
Confidentiality obligations binding on all persons processing data
Appropriate technical and organisational security measures specified
Conditions for sub-processor engagement (prior written authorisation; equivalent DPA requirements flow down)
Vendor assists controller in fulfilling data subject rights requests
Vendor assists controller in meeting obligations under Articles 32-36 (security, breach notification, DPIAs, prior consultation)
Deletion or return of all personal data at end of engagement, with written certification
Vendor makes available all information necessary to demonstrate compliance; allows and contributes to audits
Audit rights granted: right to audit vendor's security controls, compliance, and processing activities. Frequency: [ANNUAL / UPON REQUEST]
Certification maintenance: Vendor must maintain specified certifications (ISO 27001, SOC 2, etc.) throughout the contract term
Breach notification SLA: Vendor must notify [ORGANISATION] within [24 / 48 / 72] hours of becoming aware of a security incident or data breach affecting our data
Incident cooperation: Vendor must cooperate fully with incident investigation, provide forensic data, and support remediation efforts
Vulnerability management: Vendor must maintain a vulnerability management programme with defined patching SLAs
Penetration testing: Vendor must conduct annual independent penetration testing and share summary results
5.3 Operational Clauses
Service level agreements (SLAs) with uptime guarantees, response times, and financial penalties for breaches
Business continuity: Vendor must maintain and test BCP/DR plans; RTO and RPO commitments documented
Change management: Vendor must notify [ORGANISATION] of material changes to infrastructure, security controls, or key personnel
Sub-processor management: Vendor must notify [ORGANISATION] of new sub-processors with sufficient notice (minimum 30 days); right to object; equivalent security requirements flow down
Escalation procedures: Named contacts and escalation paths for operational issues, security concerns, and executive-level disputes
5.4 Exit and Termination Clauses
Termination for cause: Right to terminate for material breach, including security failures, compliance violations, or failure to remediate identified risks within agreed timelines
Termination for convenience: Right to terminate with defined notice period: [90 / 180 DAYS]
Data return: Vendor must return all [ORGANISATION] data in a specified format within [30 / 60] days of termination
Data deletion: Vendor must securely delete all [ORGANISATION] data (including backups, logs, and derivative data) within [60 / 90] days and provide a written deletion certificate
Transition assistance: Vendor must provide reasonable transition assistance for a defined period post-termination: [90 / 180 DAYS]
Knowledge transfer: Vendor must document and transfer all operational knowledge necessary for service continuity
No data hostage: Contract explicitly prohibits the vendor from withholding data as leverage in any commercial dispute
5.5 Insurance and Liability
Minimum insurance coverage specified: professional indemnity [AMOUNT]; cyber liability [AMOUNT]
Liability cap appropriate to the risk: [AMOUNT OR FORMULA]
Indemnification: Vendor indemnifies [ORGANISATION] for losses arising from vendor's breach of security, privacy, or compliance obligations
Limitation exclusions: Liability cap does not apply to data breaches, wilful misconduct, or confidentiality violations
5.6 Contract Review Summary
Field
Status
Vendor Name
[VENDOR NAME]
Reviewed By
[NAME, ROLE]
Review Date
[DATE]
All Required Clauses Present?
[Yes / No]
Missing Clauses
[LIST ANY MISSING ITEMS]
Recommended Actions
[LIST ACTIONS BEFORE SIGNING]
Legal Review Completed?
[Yes / No / DATE]
How to Customise This Template
This template is designed for organisations of any size, from a 30-person company assessing a handful of critical vendors to an enterprise managing hundreds of third-party relationships. The structure remains the same; the level of detail scales.
Step 1: Replace all placeholders
Search the document for every instance of [BRACKETED TEXT] and replace with your organisation's specific information:
[ORGANISATION] with your legal entity name
[DPO NAME / CISO NAME / VENDOR RISK MANAGER] with your document owner
[DATE] fields with actual dates
Classification criteria thresholds (e.g., "more than 100,000 records") to match your risk appetite
Insurance coverage amounts to reflect your requirements
Step 2: Adjust the questionnaire scope
Not every question applies to every vendor or every industry:
Add sector-specific questions if you operate in a regulated industry (e.g., PCI DSS questions for payment card data, HIPAA questions for health data)
Remove questions that do not apply to your vendor landscape (e.g., remove DORA questions if you are not a financial entity)
Adjust risk weights (High/Medium/Low) based on your specific risk appetite and regulatory obligations
Set tier-specific question subsets defining which questions apply at each tier level
Step 3: Calibrate the scoring model
Adjust the category weights (Section 3.2) to reflect your priorities (e.g., increase Data Protection weight if you are a heavy personal data processor)
Adjust the risk rating thresholds (Section 3.3) to match your risk tolerance
Add or modify the automatic fail criteria (Section 3.4) based on your non-negotiable requirements
Step 4: Review with stakeholders
Legal review of contract requirements checklist (Section 5) and DPA provisions
Security team review of information security questions and scoring criteria
DPO review of data protection questions and GDPR compliance requirements
Procurement review of integration with existing vendor onboarding workflow
Management approval of risk acceptance thresholds
Step 5: Integrate into your workflow
Build the questionnaire into your GRC platform, vendor management tool, or structured spreadsheet
Integrate vendor classification into your procurement process so no vendor is onboarded without an assessment
Set calendar reminders for all reassessment dates and monitoring activities
Assign vendor owners for each third-party relationship
Train all staff involved in vendor management on the template and scoring methodology
For organisations that need help customising this template, building a complete third-party risk management programme, or conducting vendor assessments, Vision Compliance provides vendor risk management services and cybersecurity advisory tailored to EU regulatory requirements.
Frequently Asked Questions
What is the difference between this template and the vendor risk assessment guide?
The Vendor Risk Assessment Guide is an educational resource that explains vendor risk concepts, the seven risk domains, programme-building methodology, lifecycle management, and common mistakes. This article is the template itself: a document you copy, customise, and deploy as your actual vendor assessment tool. Use the guide to understand the framework; use this template to execute it.
How long does it take to complete a vendor assessment using this template?
For a Tier 1 (Critical) vendor receiving all 80+ questions, allow 2-4 weeks for the vendor to complete the questionnaire and provide evidence. Your internal review and scoring typically takes 2-4 hours per vendor. For Tier 3 and Tier 4 vendors with reduced question sets, the process is significantly faster. Once the template is established and your team is experienced, turnaround improves substantially.
Can we accept a SOC 2 report instead of requiring the vendor to answer every security question?
Yes, and for many vendors this is the most efficient approach. A SOC 2 Type II report provides independent auditor assurance over the vendor's controls. However, you should still review the report carefully (check the opinion, exceptions, CUECs, scope, and subservice organisations) and supplement it with questions specific to your engagement: data handling, sub-processors, contractual commitments, and any areas not covered by the SOC 2 scope. A SOC 2 report does not replace the Data Protection (Category B), Regulatory Compliance (Category E), or Financial Stability (Category F) sections.
Is this template suitable for DORA compliance?
Yes. The template includes DORA-specific questions in Category E (Regulatory Compliance), and the contract requirements checklist (Section 5) covers DORA's mandatory contractual provisions. However, DORA also requires a Register of Information for all ICT third-party arrangements, which is a separate document. Use this template alongside your DORA Register of Information to satisfy Article 28 requirements. See the DORA Compliance Guide for the complete DORA compliance framework.
How do we handle vendors that refuse to complete the questionnaire?
This is common with large SaaS vendors (think Microsoft, Google, Salesforce). Alternatives include: (1) accept their SOC 2/ISO 27001 reports plus published trust documentation, (2) use security rating services for external assessment, (3) review their public DPA, security whitepaper, and compliance documentation, (4) document your assessment approach and rationale. For Tier 1 vendors that refuse transparency, consider whether alternative providers exist. Always document your risk acceptance decision when proceeding without a full questionnaire response.
How often should we reassess vendors?
Assessment frequency depends on the vendor's risk tier. Tier 1 (Critical) vendors should be reassessed annually with continuous monitoring between assessments. Tier 2 (High) vendors should be reassessed annually or biennially. Tier 3 (Medium) vendors biennially or triennially. Tier 4 (Low) vendors only require reassessment when their risk profile changes. Additionally, any vendor should be reassessed immediately when triggered by events such as a breach, acquisition, SLA failures, or regulatory changes. See Section 4.3 for the complete list of event-driven review triggers.
Related Resources
Vendor Risk Assessment Guide: complete guide to vendor risk concepts, lifecycle management, tiering, and programme building
DORA Compliance Guide: DORA's ICT third-party risk management framework and Register of Information
Need help turning this template into an operational vendor risk programme? Vision Compliance builds third-party risk management programmes from scratch: vendor inventories, tiering models, assessment questionnaires, scoring methodologies, and ongoing monitoring frameworks. Whether you are preparing for NIS2, DORA, or ISO 27001, we help you get your supply chain risk under control. Schedule a consultation to discuss your vendor risk management needs.
Sources: Verizon 2025 DBIR, IBM Cost of a Data Breach Report 2025, SecurityScorecard 2025 Global Third-Party Cybersecurity Breach Report, Ponemon Institute 2025, GDPR (Regulation 2016/679) Article 28, NIS2 Directive (EU 2022/2555) Article 21(2)(d), DORA (EU 2022/2554) Articles 28-30, ISO/IEC 27001:2022 Annex A.5.19-5.23, DLA Piper GDPR Fines and Data Breach Survey 2026, Gartner 2025 Third-Party Risk Management Report
Ivana Ludiga, mag. iur., is an Associate at Vision Compliance focused on data protection, GDPR implementation, and regulatory advisory. She supports compliance projects for organizations across healthcare, financial services, and technology sectors.
