The Third-Party Problem
Your vendors are your attack surface. According to SecurityScorecard's 2024 research, 29% of breaches involve a third-party vector. When a vendor fails, you explain it to your customers.
A vendor risk assessment isn't paperwork — it's the process of deciding whether you trust another organization with your data, your operations, or your reputation.
You can outsource the work. You cannot outsource the accountability.
The Assessment Framework
Tier Your Vendors First
Not every vendor deserves the same scrutiny. A $200/year email plugin doesn't need the same assessment as your cloud hosting provider.
| Tier | Criteria | Assessment Depth |
|---|---|---|
| Critical | Handles restricted data, core to operations, hard to replace | Full assessment + annual review |
| High | Handles confidential data, important but replaceable | Standard assessment + biannual review |
| Medium | Internal data access, limited scope | Questionnaire + annual check |
| Low | Public data only, easily replaceable | Self-certification |
The Assessment Checklist
For Critical and High-tier vendors, evaluate these domains:
Security Posture
- SOC 2 Type II report (current year)
- Penetration test results (within 12 months)
- Vulnerability management program
- Incident response plan and past incident history
- Encryption standards (at rest and in transit)
Compliance Standing
- Relevant certifications (ISO 27001, HIPAA BAA, PCI DSS)
- Regulatory actions or consent decrees
- Data processing agreements (GDPR Art. 28)
- Insurance coverage (cyber liability, E&O)
Operational Resilience
- Business continuity / disaster recovery plans
- SLA history and uptime guarantees
- Financial stability (D&B rating, funding status)
- Subcontractor management (fourth-party risk)
Data Handling
- Data location and sovereignty
- Data retention and deletion practices
- Access controls and audit logging
- Breach notification commitments
Risk Scoring
Use a simple weighted matrix. Don't let the perfect be the enemy of the functional.
| Domain | Weight | Score (1-5) | Weighted Score |
|---|---|---|---|
| Security posture | 30% | ? | ? |
| Compliance standing | 25% | ? | ? |
| Operational resilience | 25% | ? | ? |
| Data handling | 20% | ? | ? |
| Total | 100% | ?/5.0 |
Thresholds:
- 4.0-5.0: Approve — standard monitoring
- 3.0-3.9: Conditional — require remediation plan
- 2.0-2.9: Escalate — executive approval required
- Below 2.0: Reject — risk exceeds benefit
Ongoing Monitoring
Assessment at onboarding isn't enough. Vendors change — acquisitions happen, key personnel leave, security incidents occur.
| Signal | Source | Action |
|---|---|---|
| SOC 2 report refresh | Vendor directly | Review updated report annually |
| Security rating change | SecurityScorecard, BitSight | Investigate drops > 10 points |
| Breach notification | Vendor, media, or HaveIBeenPwned | Trigger incident response |
| Financial distress | D&B, news monitoring | Evaluate continuity risk |
| Regulatory action | SEC/FTC filings, industry alerts | Assess compliance impact |
What Auditors Ask
If you're preparing for SOC 2 or ISO 27001, expect these questions about your vendor management:
- "How do you assess vendor risk before onboarding?"
- "How do you tier vendors by criticality?"
- "Show me your vendor inventory with risk ratings."
- "How do you monitor vendor risk on an ongoing basis?"
- "What happens when a vendor falls below your risk threshold?"
The right answer isn't "we have a spreadsheet." It's "we have a governance framework that defines vendor risk requirements, assigns ownership, and tracks maturity over time."
The Bottom Line
Vendor risk assessment is governance, not procurement. The organizations that handle it well treat vendor risk as a governance statement — owned, reviewed, and understood by the team. For a comprehensive look at how vendor risk fits into the broader discipline, see our compliance risk management guide.
Dictiva's governance library includes vendor management statements across multiple maturity levels, mapped to SOC 2, ISO 27001, and NIST frameworks.