Vendor Risk Assessment
Common Mistakes
Keep vendor risk assessments lean and defensible by avoiding these common pitfalls.
What to avoid
- •Requesting full SOC 2 + pen tests from every vendor regardless of tier.
- •Skipping data flow clarity—unclear data types and volumes lead to wrong tiers.
- •Ignoring incident history or relying only on marketing claims.
- •No cadence ownership; reassessments slip and evidence goes stale.
- •Contracts that omit breach notice, subprocessor approval, or access requirements.
- •Not documenting exceptions or remediation timelines.
How to stay on track
- •Use the triage tool to set tier and cadence before requesting evidence.
- •Store one evidence-by-tier list and reuse it for every review.
- •Note exceptions with owners and due dates so audits stay clean.
Frequently Asked Questions
What is the biggest vendor risk assessment mistake?
Applying the same evidence requirements to every vendor. It slows procurement and frustrates auditors. Tiering keeps effort proportional.
How do teams miss incident history?
They skip explicit questions about past incidents or rely only on sales contacts. Ask for disclosures and check public incident records when risk is higher.