Vendor Risk Assessment
Vendor Risk Checklist
A lean intake and diligence checklist so vendor management stays consistent across security, procurement, and legal.
Intake (before scoring)
- •Describe data processed (PII/PHI/payment/internal).
- •Document access paths (user, admin, API, network).
- •Classify vendor criticality and business owner.
- •Integration type and data flow diagram (one-way vs bi-directional).
- •Estimated data volume and regions.
- •Subprocessor list, if any.
- •Disclosed incidents or breaches in the last 24 months.
Due diligence (after tiering)
- •Request evidence-by-tier package (SOC reports, pentest, DPAs as needed).
- •Validate identity and access model (SSO/MFA, privileged access logging).
- •Review incident response process and notification SLAs.
- •Check data retention/deletion and encryption coverage.
- •Confirm subprocessors and upstream certifications.
Contracts and ongoing
- •Include tier-aligned security addendum and DPA.
- •Document reassessment cadence and owners.
- •Track exceptions with remediation dates.
- •Store all materials with audit-ready labeling.
Frequently Asked Questions
What should a vendor risk intake form capture?
Data sensitivity, access type, criticality, integrations, data volumes, subprocessors, and incident history. Those inputs drive tiering and evidence asks.
Do all vendors need the same evidence?
No. Evidence should scale with risk. Low-risk vendors can often provide a light questionnaire and attestations; high-risk vendors should provide SOC reports, pentest summaries, and stronger contract terms.
Premium Resource
Vendor Review Checklist (PDF)
Download our comprehensive vendor due diligence checklist. Maps every intake question to specific evidence requirements and contract clauses.
- Fully editable template
- Built for 2026 Audit Standards
By downloading, you agree to receive RiscLens updates. Secure 256-bit encryption.