Vendor Risk Assessment
Scoring Model
Transparent scoring keeps vendor reviews consistent and audit-ready. Inputs map directly to points, then into Low, Medium, or High tiers.
Weights by input
Data sensitivity
- •None/Public: 0
- •Internal: 10
- •PII: 25
- •Financial: 35
- •PHI/regulated: 45
Access level
- •No access: 0
- •Limited user: 10
- •API scoped: 20
- •Admin: 35
- •Network/production: 45
Vendor criticality
- •Nice-to-have: 5
- •Important: 15
- •Business-critical: 25
Integration type
- •Standalone: 0
- •SSO only: 5
- •One-way sync: 10
- •Bi-directional: 20
Data volume
- •Low: 0
- •Medium: 10
- •High: 20
Subprocessors
- •No: 0
- •Yes: 10
Incident history
- •None/not disclosed: 10
- •Minor resolved: 15
- •Significant (24 months): 25
Tier mapping
- •Low (0–34) — Light questionnaire and attestations; annual review cadence.
- •Medium (35–64) — SOC/ISO reports, incident summary, and quarterly attestations.
- •High (65–100) — SOC 2 Type II + pentest summary; semiannual review or continuous monitoring.
Scores clamp at 100 to avoid runaway math. The “why” explanation highlights the biggest risk drivers so reviewers can sanity check the tier.
Premium Resource
VRA Scoring Spreadsheet (Excel)
Download our pre-weighted scoring model to automate your vendor triage. Includes logic for data sensitivity, access levels, and criticality.
- Fully editable template
- Built for 2026 Audit Standards
By downloading, you agree to receive RiscLens updates. Secure 256-bit encryption.