Vendor Risk Assessment
Evidence by Tier
Ask for the right evidence based on the vendor’s tier—nothing more, nothing less. Keep requests predictable for auditors and vendors.
Low risk
Light coverage for vendors with low sensitivity, low access, or low criticality.
- •Security questionnaire (lite) mapped to your controls
- •DPA if any PII is processed
- •Policy attestations for access control and incident response
- •Annual attestation on changes and incidents
Medium risk
Vendors touching customer data or with meaningful access.
- •SOC 2 Type II or ISO 27001 (or roadmap + compensating controls)
- •Incident response summary and notification SLAs
- •Access control overview with MFA/SSO enabled
- •Vendor/subprocessor list with regions
- •BCP/DR summary and test cadence
- •Quarterly attestations for changes or incidents
High risk
Vendors with privileged access, regulated data, or bi-directional integrations.
- •SOC 2 Type II (preferred) with bridge letter if timing requires
- •Recent pentest summary or third-party assessment with remediation status
- •Detailed IR playbooks and BCP/DR evidence
- •Data flow diagrams and architecture overview
- •Security addendum with clear liability and notification terms
- •Semiannual reassessment or continuous monitoring subscription
Practical tips
- •Accept equivalent evidence (e.g., ISO + SOC bridge letter) when appropriate.
- •Timebox follow-ups and capture exceptions with remediation targets.
- •Store evidence and notes in one location for audits and security questionnaires.
Premium Resource
Evidence Request Templates (DOCX)
Download our pre-written evidence request templates for Low, Medium, and High risk vendors. Save dozens of hours on vendor follow-ups.
- Fully editable template
- Built for 2026 Audit Standards
By downloading, you agree to receive RiscLens updates. Secure 256-bit encryption.