Vendor Risk Management

A practical guide to assessing, managing, and monitoring third-party and supply chain risks.

---

Purpose

Third-party vendors represent a significant attack surface and compliance risk. Effective vendor risk management ensures that suppliers, contractors, and service providers meet your organisation's security, privacy, and operational standards.

---

Vendor Risk Lifecycle

flowchart TD
    A[1. Identify Need] --> B[2. Vendor Selection]
    B --> C[3. Due Diligence]
    C --> D[4. Contract Negotiation]
    D --> E[5. Onboarding]
    E --> F[6. Ongoing Monitoring]
    F --> G[7. Offboarding]
    F -.Review Cycle.-> C

---

Vendor Risk Assessment Frameworks

Shared Assessments SIG (Standardized Information Gathering)

Purpose: Industry-standard vendor security questionnaire for financial services and beyond.

Components:

• 18 domains covering security, privacy, risk management
• ~1,800 questions (though typically subset used based on risk)
• Standardised format reduces vendor assessment fatigue

Best For: Financial services, large enterprises with many vendors

Link: Shared Assessments

---

CAIQ (Consensus Assessments Initiative Questionnaire)

Purpose: Cloud Security Alliance's questionnaire for cloud service providers.

Scope: Aligned with CSA Cloud Controls Matrix (CCM)

Best For: Assessing cloud/SaaS vendors

Link: CSA CAIQ

---

NIST SP 800-161 Rev. 1 - Cybersecurity Supply Chain Risk Management

Region: United States

Purpose: Federal guidance on supply chain risk management (C-SCRM).

Key Components: - Supply chain risk assessment - Integration with enterprise risk management - Acquisition and procurement controls - Third-party assessment

Link: NIST SP 800-161

---

ISO 27036 - Information Security for Supplier Relationships

Region: International

Purpose: Multi-part standard covering supplier relationship security.

Parts: - Part 1: Overview and concepts - Part 2: Requirements - Part 3: ICT supply chain security guidelines - Part 4: Security of cloud services (based on ISO 27017)

Link: ISO 27036

---

Vendor Risk Tiering

Risk-Based Categorisation

Tier	Criteria	Assessment Depth	Review Frequency
Critical	Access to sensitive data, critical business function, regulatory scrutiny	Comprehensive due diligence, on-site audit, continuous monitoring	Quarterly
High	Access to internal systems, moderate data access, material contract value	Detailed questionnaire, security documentation review, annual audit	Semi-annually
Medium	Limited data access, standard business services	Standard questionnaire, attestation review	Annually
Low	No data access, commodity services, low business impact	Lightweight questionnaire or contract terms only	Every 2-3 years

Tier Determination Factors

Data Sensitivity:

• Access to personal data (GDPR/DPA compliance)
• Access to payment card data (PCI DSS scope)
• Access to health records (HIPAA, NHS data)
• Access to confidential/proprietary information

Business Criticality:

• Impact of vendor failure on operations
• Availability of alternative suppliers
• Concentration risk (% of service from single vendor)

Regulatory Requirements:

• Subject to regulatory oversight (FCA, PRA, ICO)
• Inherits compliance obligations
• Required by contract (NHS DSPT, Cyber Essentials)

Technical Access:

• Network connectivity to your environment
• System administrator privileges
• Code repository or infrastructure access

---

Due Diligence Process

Pre-Contract Assessment

1. Initial Screening

• Business registration and financial stability check
• Reputation and reference checks
• Sanctions and adverse media screening
• Insurance coverage verification

2. Security Questionnaire

Select questionnaire based on tier and service type:

• Cloud/SaaS: CAIQ or vendor security whitepaper
• Financial services: SIG or equivalent
• General: Custom questionnaire (see template below)
• Low-risk: Contract security schedule only

3. Documentation Review

Request and review:

• Security policies and procedures
• Certifications (ISO 27001, SOC 2, Cyber Essentials)
• Penetration test results (executive summary)
• Business continuity and disaster recovery plans
• Incident response procedures
• Data protection/privacy policies
• Insurance certificates (cyber, professional indemnity)

4. On-site or Virtual Assessment (Critical/High tier only)

• Facility tours (data centres, offices)
• Technical architecture review
• Security control validation
• Staff interviews

---

Vendor Security Questionnaire Template

Lightweight Due Diligence Questionnaire (Medium-tier vendors)

Section 1: General Information

1. Company legal name and registration details
2. Primary contact for security matters
3. Data centre/hosting locations (if applicable)
4. Subcontractors used (list all with data access)

Section 2: Security Certifications & Compliance

1. Do you hold ISO 27001 certification? (Provide certificate)
2. Do you hold SOC 2 Type II report? (Provide report)
3. Do you hold Cyber Essentials or Cyber Essentials Plus? (UK)
4. Are you compliant with relevant regulations (GDPR, HIPAA, PCI DSS)? Specify.

Section 3: Data Protection & Privacy

1. Where is data stored geographically?
2. Is data encrypted at rest and in transit? (Specify algorithms)
3. Who has access to our data? (Roles, not names)
4. Can you delete all our data upon request?
5. Do you perform background checks on staff with data access?
6. Do you have a Data Processing Agreement (DPA) template?

Section 4: Access Control & Authentication

1. Do you enforce multi-factor authentication (MFA) for admin access?
2. How are user access rights managed and reviewed?
3. What is your password policy?
4. Do you maintain access logs and audit trails?

Section 5: Vulnerability & Patch Management

1. How frequently do you patch systems?
2. Do you perform regular vulnerability scans?
3. Do you conduct penetration testing? (Frequency and last test date)
4. How do you manage security vulnerabilities?

Section 6: Incident Response & Business Continuity

1. Do you have an incident response plan?
2. What is your notification timeline for security incidents affecting our data?
3. What are your RTO and RPO for service recovery?
4. When did you last test your disaster recovery plan?

Section 7: Security Monitoring

1. Do you have 24/7 security monitoring?
2. Do you use intrusion detection/prevention systems?
3. How do you detect and respond to anomalous activity?

Section 8: Secure Development (for software vendors)

1. Do you follow a secure development lifecycle (SDLC)?
2. Do you perform code reviews and security testing?
3. How do you manage open-source components and vulnerabilities?

Section 9: Supply Chain

1. Do you assess the security of your subcontractors/suppliers?
2. Can you provide a list of all subcontractors with access to our data?

Section 10: Insurance & Legal

1. Do you maintain cyber liability insurance? (Coverage amount)
2. Do you maintain professional indemnity insurance?
3. What are your liability caps in your standard contract?

---

Contract Security Requirements

Essential Security Clauses

Data Protection

• Data processing agreement (DPA) or equivalent
• Data location and cross-border transfer restrictions
• Data retention and deletion obligations
• Prohibition on unauthorised data use
• Subcontractor notification and approval

Security Standards

• Requirement to maintain ISO 27001, SOC 2, or equivalent
• Specific security controls (encryption, MFA, logging)
• Right to audit or review security controls
• Compliance with applicable regulations

Incident Response

• Notification timeline (e.g., within 24 hours of discovery)
• Forensic investigation cooperation
• Incident reporting requirements
• Breach notification obligations

Business Continuity

• Minimum uptime SLA (e.g., 99.9%)
• RTO and RPO commitments
• Disaster recovery testing requirements

Right to Audit

• Annual right to review security controls
• On-site or remote audit rights
• Third-party assessment acceptance (e.g., SOC 2 in lieu of audit)

Termination & Data Return

• Data return format and timeline
• Secure data deletion certification
• Transition assistance requirements

Liability & Insurance

• Liability caps and exclusions
• Required insurance coverage
• Indemnification for data breaches

---

Ongoing Monitoring

Continuous Monitoring Activities

Activity	Frequency	Tier Applicability
Review SOC 2 / ISO 27001 reports	Annually	Critical, High
Security questionnaire refresh	Annually (Critical/High), Every 2-3 years (Medium)	All
Vulnerability/breach news monitoring	Continuous	Critical, High
Financial stability check	Annually	Critical
Compliance status review	Quarterly	Critical (regulated industries)
Service performance review	Monthly/Quarterly	Critical, High
Contract and SLA review	At renewal	All

Red Flags Requiring Immediate Review

• Security incident or data breach disclosed
• Certification lapse (ISO 27001, SOC 2 expiry)
• Significant service outages
• Merger, acquisition, or change of ownership
• Loss of key personnel or mass layoffs
• Financial distress indicators
• Regulatory enforcement action

---

Supply Chain Risk Management

Supply Chain Mapping

Identify and document:

1. Direct vendors (first-tier suppliers)
2. Subcontractors (second-tier suppliers with data/system access)
3. Critical dependencies (single points of failure)
4. Fourth-party risk (vendors of your vendors)

Concentration Risk

Assess risk of over-reliance on single vendor:

• Single vendor failure impact: Can operations continue?
• Geographic concentration: All vendors in same region?
• Technology concentration: All vendors on same cloud platform?

Mitigation Strategies

• Diversification: Multiple suppliers for critical functions
• Exit planning: Documented offboarding and transition plans
• Contractual safeguards: Source code escrow, data portability
• Regular testing: Validate ability to switch vendors

---

Vendor Offboarding

Secure Offboarding Checklist

• Data return or secure deletion (obtain certification)
• Access revocation (all systems and credentials)
• Removal from network connectivity
• Asset return (hardware, documentation)
• Final invoice and contract closure
• Lessons learned documentation
• Update vendor inventory and risk register

---

Industry-Specific Requirements

Financial Services (UK - FCA/PRA)

• Operational Resilience: Third-party dependency mapping
• Outsourcing Requirements: Notification to regulator for material outsourcing
• SYSC 8: Senior management responsibility for outsourcing arrangements

Healthcare (UK - NHS)

• Data Security and Protection Toolkit (DSPT): Suppliers must complete DSPT
• Data Protection Impact Assessment: Required for high-risk processing

Healthcare (US - HIPAA)

• Business Associate Agreement (BAA): Required for vendors with PHI access
• Breach notification: 60-day timeline for breach notification to OCR

Government (UK)

• Cyber Essentials: Often mandatory for government suppliers
• Security clearance: Required for suppliers with access to sensitive information

---

Vendor Risk Tools & Platforms

Security Ratings Services

• BitSight: External security posture monitoring
• SecurityScorecard: Continuous vendor risk monitoring
• UpGuard: Third-party risk and attack surface monitoring
• RiskRecon: Cyber risk assessments

Vendor Risk Management Platforms

• OneTrust Vendorpedia: End-to-end vendor risk management
• ServiceNow VRM: Integrated with GRC workflows
• Prevalent: Third-party risk management automation
• Archer (RSA): Enterprise GRC with vendor risk module

Note: These tools provide continuous monitoring but don't replace initial due diligence.

---

Metrics & KPIs

Metric	Description	Target
Vendor Assessment Coverage	% of vendors assessed per risk tier requirements	100%
Overdue Assessments	Number of vendors past review date	0
Critical Findings	Open critical security findings from assessments	<5
Certification Currency	% of critical/high vendors with current certifications	>95%
Incident Response Time	Average time to assess vendor incident impact	<24 hours
Contract Compliance	% of contracts with required security clauses	100%

---

Quick Selection Guide

Organisation Profile	Recommended Approach
Small business (<50 staff)	Tier vendors, lightweight questionnaire, focus on certifications (ISO 27001, SOC 2)
Medium enterprise (50-500)	Formal tiering, standardised questionnaires, annual reviews, vendor risk platform
Large enterprise (500+)	Comprehensive VRM programme, SIG/CAIQ questionnaires, dedicated vendor risk team, automated monitoring
Financial services	SIG questionnaire, regulatory compliance checks, on-site audits for critical vendors
Healthcare	HIPAA BAA requirements, DSPT (UK) or HITRUST (US), PHI handling assessments
Government/Public sector	Cyber Essentials minimum, security clearance where required, compliance with procurement rules

---

Common Pitfalls

1. One-size-fits-all approach: Assessing low-risk vendors with same rigour as critical vendors wastes resources
2. Set and forget: No ongoing monitoring after initial assessment
3. Missing subcontractors: Not identifying fourth-party risks
4. Checkbox compliance: Accepting questionnaires without validation
5. No exit strategy: Vendor lock-in with no transition plan
6. Ignoring concentration risk: Over-reliance on single vendor
7. Procurement and security disconnect: Contracts signed before security review

---

Related Topics

• Risk Management Frameworks
• Data Classification & Handling
• Policy Framework & Templates
• Compliance Requirements by Industry