Vendor Risk Assessment Template
A comprehensive third-party vendor risk assessment template with questionnaire, scoring rubric, risk categories, and remediation tracking. Use this template to evaluate the security posture of vendors, suppliers, cloud providers, and service providers before and during your business relationship.
Suitable for compliance programs including SOC 2, HIPAA, PCI DSS, CMMC, NIST CSF, and ISO 27001.
Classify the vendor using the Pre-Assessment section to determine their risk tier
Send the questionnaire -- Tier 1 vendors get the full questionnaire; Tier 2 gets a subset; Tier 3 gets a simplified version
Score responses using the scoring rubric
Calculate the overall risk rating using the risk matrix
Document findings and required remediations
Track remediation through completion
Reassess based on the schedule for their risk tier
Classify each vendor before assessment to determine the depth of review required.
Tier
Classification
Criteria
Assessment Depth
Reassessment Frequency
Tier 1 - Critical
Vendor has direct access to sensitive data, systems, or is essential to operations
Processes/stores PII, PHI, CUI; has network access; single point of failure
Full questionnaire + evidence review + on-site (optional)
Annually
Tier 2 - High
Vendor handles internal data or provides important services
Accesses internal data; provides SaaS tools; performs professional services
Full questionnaire + evidence review
Every 18 months
Tier 3 - Medium
Vendor provides standard business services with limited data access
Office supplies, facilities, general consulting without data access
Simplified questionnaire
Every 2 years
Tier 4 - Low
Vendor has no access to data or systems
Marketing materials, catering, non-IT physical supplies
No questionnaire; contract terms only
At contract renewal
Pre-Assessment: Vendor Classification
Complete this form before sending the questionnaire.
Question
Answer
Vendor Name
Service/Product Provided
Contract Owner (Internal)
Does the vendor access, process, or store any company data?
Yes / No
What types of data?
PII / PHI / Financial / CUI / Internal / Public
Does the vendor have remote or on-site access to company systems?
Yes / No
Is the vendor a single point of failure for any business function?
Yes / No
Does the vendor subcontract any of the services they provide to us?
Yes / No
What compliance frameworks apply to data handled by the vendor?
HIPAA / PCI / CMMC / SOC 2 / GDPR / None
Assigned Risk Tier
Tier 1 / 2 / 3 / 4
Vendor Risk Assessment Questionnaire
Section 1: Organizational Security (All Tiers)
#
Question
Response
Evidence Provided
Score
1.1
Does your organization have a dedicated information security team or officer (CISO)?
1.2
Do you maintain written information security policies? When were they last reviewed?
1.3
Do you hold any security certifications (SOC 2 Type II, ISO 27001, FedRAMP)?
1.4
Do you carry cyber liability insurance? What is the coverage amount?
1.5
Have you experienced a data breach or significant security incident in the past 3 years?
1.6
Do you conduct background checks on employees who will access our data?
1.7
Do employees receive security awareness training? How often?
Section 2: Access Control (Tier 1 and 2)
#
Question
Response
Evidence Provided
Score
2.1
How do you control access to customer data (RBAC, ABAC, etc.)?
2.2
Is multi-factor authentication enforced for access to systems containing our data?
2.3
Do you follow the principle of least privilege for all access?
2.4
How do you manage user onboarding and offboarding (access provisioning/deprovisioning)?
2.5
Do you conduct regular access reviews? How often?
2.6
How do you manage privileged access (PAM solution, just-in-time access)?
2.7
Are shared accounts or credentials used? If so, how are they managed?
Section 3: Data Protection (Tier 1 and 2)
#
Question
Response
Evidence Provided
Score
3.1
Is our data encrypted at rest? What algorithm and key length?
3.2
Is our data encrypted in transit? What protocols (TLS 1.2+)?
3.3
Where is our data stored geographically?
3.4
Do you segregate customer data (logical or physical separation)?
3.5
What is your data retention policy? How is data destroyed when no longer needed?
3.6
Do you have a data classification framework?
3.7
Can you provide our data upon request or at contract termination? In what format?
3.8
Do you use any subprocessors? If so, list them and their roles.
Section 4: Network and Infrastructure Security (Tier 1)
#
Question
Response
Evidence Provided
Score
4.1
Do you conduct regular vulnerability scans? How often?
4.2
Do you conduct penetration tests? How often? By whom (internal/external)?
4.3
Do you have a patch management program? What is your SLA for critical patches?
4.4
Do you use network segmentation to isolate customer environments?
4.5
Do you deploy IDS/IPS, EDR, and SIEM?
4.6
How do you manage firewall rules and changes?
4.7
Do you monitor for unauthorized network access 24/7?
Section 5: Incident Response (Tier 1 and 2)
#
Question
Response
Evidence Provided
Score
5.1
Do you have a documented incident response plan?
5.2
How quickly will you notify us of a security incident affecting our data?
5.3
When was the incident response plan last tested (tabletop or simulation)?
5.4
Do you have a dedicated incident response team or retainer with an IR firm?
5.5
Will you provide forensic investigation results in the event of a breach?
Section 6: Business Continuity and Disaster Recovery (Tier 1)
#
Question
Response
Evidence Provided
Score
6.1
Do you have a business continuity plan (BCP)? When was it last tested?
6.2
What is your RTO (Recovery Time Objective) for our service?
6.3
What is your RPO (Recovery Point Objective) for our data?
6.4
How often are backups taken? Are they encrypted and stored off-site?
6.5
What was your uptime percentage over the past 12 months?
Section 7: Compliance and Legal (All Tiers)
#
Question
Response
Evidence Provided
Score
7.1
Which compliance frameworks do you comply with? (SOC 2, ISO 27001, HIPAA, PCI, FedRAMP)
7.2
Can you provide your most recent SOC 2 Type II report or equivalent?
7.3
Do you flow down security requirements to your subcontractors?
7.4
Are you willing to accept our data processing agreement (DPA)?
7.5
Will you allow us to conduct a security audit of your environment?
Score each question on a 1-5 scale:
Score
Rating
Criteria
5
Excellent
Fully implemented, documented, and evidenced. Meets or exceeds industry best practices.
4
Good
Implemented and documented. Minor improvements possible but no significant risk.
3
Adequate
Partially implemented or documented. Some gaps exist but compensating controls are in place.
2
Below Standard
Significant gaps. Control exists in theory but implementation is weak or inconsistent.
1
Deficient
Control is not implemented or documentation cannot be provided. Significant risk.
0
Refused/No Response
Vendor refused to answer or did not respond after follow-up. Treat as highest risk.
Category
Weight
Rationale
Data Protection
25%
Direct impact on confidentiality of your data
Access Control
20%
Controls who can reach your data
Incident Response
20%
Determines response speed when things go wrong
Network/Infrastructure
15%
Underlying platform security
Organizational Security
10%
Governance and culture indicators
Business Continuity
5%
Availability assurance
Compliance/Legal
5%
Regulatory alignment
Weighted Score
Risk Rating
Recommendation
4.5 - 5.0
Low Risk
Approve. Standard monitoring.
3.5 - 4.4
Moderate Risk
Approve with conditions. Require remediation plan for gaps.
2.5 - 3.4
High Risk
Approve only with executive risk acceptance and strong contractual protections.
1.5 - 2.4
Critical Risk
Do not approve. Require significant remediation before engagement.
Below 1.5
Unacceptable
Reject. Seek alternative vendor.
Finding #
Category
Finding Description
Risk Level
Remediation Required
Vendor Response
Due Date
Status
1
Open
2
Open
3
Open
After onboarding, monitor vendors continuously:
Activity
Tier 1
Tier 2
Tier 3
Full reassessment
Annually
Every 18 months
Every 2 years
SOC 2 report review
Annually
Annually
N/A
Security news monitoring
Continuous
Continuous
Quarterly
SLA/uptime review
Monthly
Quarterly
Annually
Incident notification review
As they occur
As they occur
N/A
Contract term review
At renewal
At renewal
At renewal
Maintain a master register of all assessed vendors:
Vendor
Service
Tier
Risk Rating
Last Assessment
Next Assessment
Contract Expiry
Owner
Professional Policy Development
Need customized policies for your organization? Petronella Technology Group provides:
Petronella Technology Group is CMMC-RP certified. Contact us or call (919) 348-4912.
Created and maintained by Petronella Technology Group - a cybersecurity and managed IT services firm based in Raleigh, NC. With 23+ years of experience and zero client breaches, we help businesses secure their infrastructure and achieve compliance.
MIT License - See LICENSE for details.