Main Site HUB FAQ Cybersecurity FAQs How Do I Perform a Vendor Risk Assessment?


How Do I Perform a Vendor Risk Assessment?

Effective vendor risk assessments begin by establishing an audit trail. The operating model that guides the process, includes risk assessment documentation that the auditor will review to establish vendor categorization and concentration. Some examples of assessment documentation include:

Risk Assessment Qualitative Documentation

  • Vendors are categorized by service type
  • Access needed to internal data
  • Nature of data categorized by risk (client confidential, private data, corporate financial, identifiers, passwords)
  • Data and information security expectations

Risk Assessment Quantitative Documentation

  • Financial solvency baselines
  • Contract size
  • Beneficial owners of third-party's business
  • Location of headquarters
  • IT Security Ratings

Next, organizations must supply vendor report reviews proving ongoing governance throughout the vendor lifecycle. Traditionally, vendor lifecycle management incorporates five primary categories: qualifying, engagement, managing delivery, managing finances, and relationship termination. Policies and procedures that address each step in the life cycle include


  • Process for obtaining and determining insurance, bonding, and business license documentation
  • Benchmarks for reviewing financial records and analyzing financial stability
  • Review process for staff training and licensing
  • Benchmarks for evaluating IT assets


  • Contracts include a statement of work, delivery date, payment schedule, and information security requirements

Information Security Management

  • Baseline identity access management within the vendor organization
  • Baseline privileged access management for the vendor

Managing Delivery

  • Scheduling deliverables
  • Scheduling receivables.
  • Organization defines stakeholders responsible for working with the vendor
  • Establishing physical access requirements
  • Defining system access requirements

Managing Finances

  • Establish an invoice schedule
  • Establish a payment mechanism

Terminating Relationship

  • Revoking physical access
  • Revoking system access
  • Definitions of causes for contract/relationship termination

Once the documentation framework has been established, you can administer the assessment. Using the documentation framework outlined above, organizations can streamline their risk assessment processes and ensure that all vendor audits are effective.