Skip to content

capetron/vendor-risk-assessment-template

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 

Repository files navigation

Vendor Risk Assessment Template

A comprehensive third-party vendor risk assessment template with questionnaire, scoring rubric, risk categories, and remediation tracking. Use this template to evaluate the security posture of vendors, suppliers, cloud providers, and service providers before and during your business relationship.

Suitable for compliance programs including SOC 2, HIPAA, PCI DSS, CMMC, NIST CSF, and ISO 27001.

Table of Contents


How to Use This Template

  1. Classify the vendor using the Pre-Assessment section to determine their risk tier
  2. Send the questionnaire -- Tier 1 vendors get the full questionnaire; Tier 2 gets a subset; Tier 3 gets a simplified version
  3. Score responses using the scoring rubric
  4. Calculate the overall risk rating using the risk matrix
  5. Document findings and required remediations
  6. Track remediation through completion
  7. Reassess based on the schedule for their risk tier

Vendor Risk Tiers

Classify each vendor before assessment to determine the depth of review required.

Tier Classification Criteria Assessment Depth Reassessment Frequency
Tier 1 - Critical Vendor has direct access to sensitive data, systems, or is essential to operations Processes/stores PII, PHI, CUI; has network access; single point of failure Full questionnaire + evidence review + on-site (optional) Annually
Tier 2 - High Vendor handles internal data or provides important services Accesses internal data; provides SaaS tools; performs professional services Full questionnaire + evidence review Every 18 months
Tier 3 - Medium Vendor provides standard business services with limited data access Office supplies, facilities, general consulting without data access Simplified questionnaire Every 2 years
Tier 4 - Low Vendor has no access to data or systems Marketing materials, catering, non-IT physical supplies No questionnaire; contract terms only At contract renewal

Pre-Assessment: Vendor Classification

Complete this form before sending the questionnaire.

Question Answer
Vendor Name
Service/Product Provided
Contract Owner (Internal)
Does the vendor access, process, or store any company data? Yes / No
What types of data? PII / PHI / Financial / CUI / Internal / Public
Does the vendor have remote or on-site access to company systems? Yes / No
Is the vendor a single point of failure for any business function? Yes / No
Does the vendor subcontract any of the services they provide to us? Yes / No
What compliance frameworks apply to data handled by the vendor? HIPAA / PCI / CMMC / SOC 2 / GDPR / None
Assigned Risk Tier Tier 1 / 2 / 3 / 4

Vendor Risk Assessment Questionnaire

Section 1: Organizational Security (All Tiers)

# Question Response Evidence Provided Score
1.1 Does your organization have a dedicated information security team or officer (CISO)?
1.2 Do you maintain written information security policies? When were they last reviewed?
1.3 Do you hold any security certifications (SOC 2 Type II, ISO 27001, FedRAMP)?
1.4 Do you carry cyber liability insurance? What is the coverage amount?
1.5 Have you experienced a data breach or significant security incident in the past 3 years?
1.6 Do you conduct background checks on employees who will access our data?
1.7 Do employees receive security awareness training? How often?

Section 2: Access Control (Tier 1 and 2)

# Question Response Evidence Provided Score
2.1 How do you control access to customer data (RBAC, ABAC, etc.)?
2.2 Is multi-factor authentication enforced for access to systems containing our data?
2.3 Do you follow the principle of least privilege for all access?
2.4 How do you manage user onboarding and offboarding (access provisioning/deprovisioning)?
2.5 Do you conduct regular access reviews? How often?
2.6 How do you manage privileged access (PAM solution, just-in-time access)?
2.7 Are shared accounts or credentials used? If so, how are they managed?

Section 3: Data Protection (Tier 1 and 2)

# Question Response Evidence Provided Score
3.1 Is our data encrypted at rest? What algorithm and key length?
3.2 Is our data encrypted in transit? What protocols (TLS 1.2+)?
3.3 Where is our data stored geographically?
3.4 Do you segregate customer data (logical or physical separation)?
3.5 What is your data retention policy? How is data destroyed when no longer needed?
3.6 Do you have a data classification framework?
3.7 Can you provide our data upon request or at contract termination? In what format?
3.8 Do you use any subprocessors? If so, list them and their roles.

Section 4: Network and Infrastructure Security (Tier 1)

# Question Response Evidence Provided Score
4.1 Do you conduct regular vulnerability scans? How often?
4.2 Do you conduct penetration tests? How often? By whom (internal/external)?
4.3 Do you have a patch management program? What is your SLA for critical patches?
4.4 Do you use network segmentation to isolate customer environments?
4.5 Do you deploy IDS/IPS, EDR, and SIEM?
4.6 How do you manage firewall rules and changes?
4.7 Do you monitor for unauthorized network access 24/7?

Section 5: Incident Response (Tier 1 and 2)

# Question Response Evidence Provided Score
5.1 Do you have a documented incident response plan?
5.2 How quickly will you notify us of a security incident affecting our data?
5.3 When was the incident response plan last tested (tabletop or simulation)?
5.4 Do you have a dedicated incident response team or retainer with an IR firm?
5.5 Will you provide forensic investigation results in the event of a breach?

Section 6: Business Continuity and Disaster Recovery (Tier 1)

# Question Response Evidence Provided Score
6.1 Do you have a business continuity plan (BCP)? When was it last tested?
6.2 What is your RTO (Recovery Time Objective) for our service?
6.3 What is your RPO (Recovery Point Objective) for our data?
6.4 How often are backups taken? Are they encrypted and stored off-site?
6.5 What was your uptime percentage over the past 12 months?

Section 7: Compliance and Legal (All Tiers)

# Question Response Evidence Provided Score
7.1 Which compliance frameworks do you comply with? (SOC 2, ISO 27001, HIPAA, PCI, FedRAMP)
7.2 Can you provide your most recent SOC 2 Type II report or equivalent?
7.3 Do you flow down security requirements to your subcontractors?
7.4 Are you willing to accept our data processing agreement (DPA)?
7.5 Will you allow us to conduct a security audit of your environment?

Scoring Rubric

Score each question on a 1-5 scale:

Score Rating Criteria
5 Excellent Fully implemented, documented, and evidenced. Meets or exceeds industry best practices.
4 Good Implemented and documented. Minor improvements possible but no significant risk.
3 Adequate Partially implemented or documented. Some gaps exist but compensating controls are in place.
2 Below Standard Significant gaps. Control exists in theory but implementation is weak or inconsistent.
1 Deficient Control is not implemented or documentation cannot be provided. Significant risk.
0 Refused/No Response Vendor refused to answer or did not respond after follow-up. Treat as highest risk.

Category Weights

Category Weight Rationale
Data Protection 25% Direct impact on confidentiality of your data
Access Control 20% Controls who can reach your data
Incident Response 20% Determines response speed when things go wrong
Network/Infrastructure 15% Underlying platform security
Organizational Security 10% Governance and culture indicators
Business Continuity 5% Availability assurance
Compliance/Legal 5% Regulatory alignment

Risk Rating Matrix

Weighted Score Risk Rating Recommendation
4.5 - 5.0 Low Risk Approve. Standard monitoring.
3.5 - 4.4 Moderate Risk Approve with conditions. Require remediation plan for gaps.
2.5 - 3.4 High Risk Approve only with executive risk acceptance and strong contractual protections.
1.5 - 2.4 Critical Risk Do not approve. Require significant remediation before engagement.
Below 1.5 Unacceptable Reject. Seek alternative vendor.

Remediation Tracking

Finding # Category Finding Description Risk Level Remediation Required Vendor Response Due Date Status
1 Open
2 Open
3 Open

Ongoing Monitoring

After onboarding, monitor vendors continuously:

Activity Tier 1 Tier 2 Tier 3
Full reassessment Annually Every 18 months Every 2 years
SOC 2 report review Annually Annually N/A
Security news monitoring Continuous Continuous Quarterly
SLA/uptime review Monthly Quarterly Annually
Incident notification review As they occur As they occur N/A
Contract term review At renewal At renewal At renewal

Vendor Risk Register

Maintain a master register of all assessed vendors:

Vendor Service Tier Risk Rating Last Assessment Next Assessment Contract Expiry Owner

Professional Policy Development

Need customized policies for your organization? Petronella Technology Group provides:

Petronella Technology Group is CMMC-RP certified. Contact us or call (919) 348-4912.


About

Created and maintained by Petronella Technology Group - a cybersecurity and managed IT services firm based in Raleigh, NC. With 23+ years of experience and zero client breaches, we help businesses secure their infrastructure and achieve compliance.

License

MIT License - See LICENSE for details.

About

Third-party vendor risk assessment template with questionnaire, scoring rubric, risk categories, and remediation tracking. For supply chain security and compliance programs.

Topics

Resources

License

Stars

2 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors