Framework

Vendor Risk Assessment Framework

A structured framework for evaluating the security posture of third-party vendors before onboarding and throughout the vendor lifecycle.

Vendor Categorization

Classify vendors based on their level of access to your systems and data to determine the appropriate depth of assessment.

Tier 1: Critical

Criteria

Direct access to CUI, PII, PHI, or financial data.
Integration with core business systems (ERP, CRM, HRIS).
Single points of failure with no readily available alternative vendor.
Access to network infrastructure or privileged system accounts.

Assessment Requirements

Full security assessment, on-site review (if applicable), SOC 2 Type II or equivalent certification required, annual reassessment.

Tier 2: Significant

Criteria

Access to internal (non-regulated) business data.
Integration with non-critical business applications.
Limited access to organizational network segments.
Provides services that support but do not directly process regulated data.

Assessment Requirements

Standard security questionnaire, SOC 2 Type I or equivalent accepted, biannual reassessment.

Tier 3: Standard

Criteria

No access to sensitive data or internal systems.
Provides commodity services (office supplies, facility maintenance).
No network connectivity to organizational systems.
Readily replaceable with alternative vendors.

Assessment Requirements

Abbreviated questionnaire or self-attestation, basic due diligence review, assessment upon contract renewal.

Assessment Questionnaire Topics

The following topics should be covered in the vendor security assessment questionnaire, with depth proportional to the vendor tier.

Information Security Governance

Does the vendor have a dedicated information security team or officer?
Does the vendor maintain documented information security policies and procedures?
Does the vendor hold current security certifications (SOC 2, ISO 27001, FedRAMP)?
How frequently are security policies reviewed and updated?

Access Control and Identity Management

Does the vendor enforce multi-factor authentication for all users accessing your data?
Does the vendor implement role-based access controls and least-privilege principles?
How does the vendor manage user provisioning and deprovisioning?
Does the vendor conduct periodic access reviews?

Data Protection and Privacy

How does the vendor encrypt data at rest and in transit?
Does the vendor have a data classification and handling policy?
What data retention and disposal procedures does the vendor follow?
Does the vendor comply with applicable privacy regulations (GDPR, CCPA, HIPAA)?
Where is organizational data stored geographically?

Incident Response and Business Continuity

Does the vendor have a documented incident response plan?
What is the vendor's notification timeline for security incidents affecting your data?
Does the vendor maintain a business continuity and disaster recovery plan?
When was the vendor's last incident response test or tabletop exercise conducted?

Vulnerability Management

Does the vendor conduct regular vulnerability scans and penetration tests?
What is the vendor's patching cadence for critical, high, medium, and low vulnerabilities?
Does the vendor have a responsible disclosure or bug bounty program?
How does the vendor manage vulnerabilities in third-party libraries and dependencies?

Subcontractor and Fourth-Party Risk

Does the vendor use subcontractors or fourth parties to process your data?
Does the vendor assess the security posture of its subcontractors?
Will the vendor notify you before engaging new subcontractors that will access your data?
Are subcontractors contractually bound to the same security requirements?

Employee Security

Does the vendor conduct background checks on employees with access to your data?
Does the vendor provide regular security awareness training?
What procedures does the vendor follow for employee termination and access revocation?

Risk Scoring Methodology

Use a consistent scoring methodology to evaluate each assessment domain and produce an overall risk rating for each vendor.

Critical Risk

No controls in place. Significant gaps that pose immediate risk to organizational data and operations.

High Risk

Minimal controls in place. Significant improvement needed before vendor should process sensitive data.

Moderate Risk

Basic controls in place but gaps exist. Remediation plan required with defined timelines.

Low Risk

Strong controls in place with minor areas for improvement. Acceptable for most data processing activities.

Minimal Risk

Comprehensive controls in place. Vendor demonstrates mature security posture aligned with industry best practices.

Calculate a weighted average score across all assessment domains. Weight each domain based on its relevance to the specific vendor engagement (e.g., Data Protection may be weighted more heavily for a cloud storage vendor than for a print services vendor).

Ongoing Monitoring

Vendor risk does not end at the initial assessment. Implement continuous monitoring to detect changes in vendor risk posture.

Subscribe to security rating services (e.g., SecurityScorecard, BitSight, RiskRecon) for continuous external monitoring of vendor security posture.
Monitor vendor communications and public disclosures for data breach notifications, leadership changes, or financial instability.
Track vendor compliance certification renewals and expirations (SOC 2, ISO 27001, HITRUST).
Require vendors to notify your organization within 24 to 72 hours of any security incident affecting your data.
Conduct periodic access reviews to verify that vendor access to your systems and data remains appropriate.
Monitor vendor performance against SLA commitments and escalate deviations.
Review vendor subcontractor changes that could affect the security of your data.

Contractual Requirements

Include the following security requirements in vendor contracts and service agreements.

Data Processing Agreement (DPA) specifying how vendor will handle, store, and protect organizational data.
Right-to-audit clause allowing your organization to assess the vendor's security controls upon reasonable notice.
Incident notification requirements including timeline (e.g., 24 hours for critical incidents, 72 hours for others).
Data return and destruction requirements upon contract termination, including certification of destruction.
Insurance requirements including cyber liability coverage with minimum coverage amounts proportional to data exposure.
Compliance obligations requiring the vendor to maintain applicable certifications and comply with relevant regulations.
Subcontractor approval requirements ensuring you are notified before vendor engages new subcontractors with access to your data.
Indemnification clauses for data breaches or security failures caused by the vendor.
Service Level Agreements (SLAs) with defined uptime, response time, and resolution time commitments.

Annual Review Process

Conduct a structured annual review of each vendor relationship based on vendor tier.

Request updated SOC 2 reports, ISO certifications, or security assessment results from each vendor.
Review any security incidents that occurred during the review period and evaluate the vendor's response.
Reassess the vendor tier classification based on changes in scope, data access, or business criticality.
Evaluate changes in the vendor's organizational structure, financial stability, or ownership that could affect risk.
Review and update the vendor inventory to add new vendors and remove decommissioned vendor relationships.
Update risk scores based on the latest assessment data and external monitoring signals.
Present a vendor risk summary report to the [Governance Committee / Executive Leadership] annually.
Archive all assessment documentation in accordance with the organization's records retention policy.

Need Help Assessing Your Vendors?

Our team can help you implement this framework, conduct vendor assessments, and build a vendor risk management program tailored to your compliance requirements.