Skip to main content
RiscLens

Vendor Risk Assessment

Monitoring Cadence

Set an evidence cadence that matches vendor risk. Keep reassessments predictable for auditors and vendors.

Low risk

Annual attestation and light questionnaire refresh.

  • Confirm no material changes to data type or access.
  • Reconfirm subprocessors and regions.
  • Capture any incidents and responses.

Medium risk

Annual review plus quarterly attestations.

  • SOC/ISO updates or bridge letters.
  • Quarterly change log for access and architecture.
  • Incident reporting and remediation status.

High risk

Initial deep review plus semiannual reassessment; consider continuous monitoring.

  • Updated SOC 2 Type II and pentest summaries.
  • Semiannual privileged access review.
  • BCP/DR tests and incident drills.
  • Monitoring for subprocessor changes or ownership changes.

Operational tips

  • Track cadence ownership (security vs procurement) and keep reminders in one system.
  • Tag vendors with tier + next review date so auditors can trace the schedule.
  • Escalate cadence immediately if access or data sensitivity increases.

Related

Run VRA TriageVRA HubVRA ROI CalculatorGet Readiness ScoreSOC 2 HubSOC 2 Cost GuidePentest Cost Estimator