Your security posture is only as strong as your weakest vendor. The vendors and service providers you work with have access to your systems, your customer data, and your business operations — and their security failures become your security failures. This guide teaches you how to systematically assess and manage third-party risk.
Why Vendor Risk Is Your Risk
60% of data breaches in 2024 involved a third party. Major breaches at Target (via HVAC vendor), SolarWinds (via software vendor), and countless others originated not with the primary organization but with a vendor who had access to critical systems. Your vendors may include cloud hosting providers storing your customer data, SaaS applications processing business operations, payroll processors handling employee financial information, and IT service providers with administrative access to your systems. Each is a potential breach vector.
Step 1: Build a Vendor Inventory
List every vendor that has access to your systems, processes data on your behalf, or connects to your network. For each vendor document: vendor name and primary contact, service provided, data or system access granted, access method (VPN, direct account, API, physical), compliance certifications they hold (SOC 2, ISO 27001, PCI DSS), data they process (customer PII, payment data, health information), and contract and BAA status.
Step 2: Tier Your Vendors by Risk Level
Tier 1 — Critical: vendors with access to sensitive data or whose disruption would significantly impact operations. Full security assessment required. Annual review. Tier 2 — High: vendors with limited access to sensitive data or who provide important but not critical services. Questionnaire-based assessment. Annual review. Tier 3 — Standard: vendors with no access to sensitive data providing commodity services. Self-attestation review at contract renewal.
Step 3: Conduct Security Assessments
For Tier 1 vendors, request: most recent SOC 2 Type II report, ISO 27001 certification if applicable, penetration test summary results, incident response plan summary, and subprocessor/subcontractor list. Key questions to ask: how is our data encrypted at rest and in transit, how is access to our data controlled and monitored, what is your breach notification process, have you experienced a data breach in the past 12 months, and what are your backup and recovery procedures.
Step 4: Review Vendor Contracts
Before signing with any vendor handling your data, ensure your contract includes: data processing terms limiting use to service provision only, security requirements defining minimum standards they must maintain, breach notification obligation within 72 hours or less, audit rights to request security documentation, subcontractor controls requiring equivalent security standards, and data return/deletion terms upon contract termination. If your data includes PHI, all relevant vendors must sign a Business Associate Agreement in addition to their standard contract.
Vendor Risk Management Checklist
Complete vendor inventory exists and is up to date. All vendors categorized by risk tier. Security assessments completed for all Tier 1 vendors. Questionnaires completed for all Tier 2 vendors. BAAs signed with all vendors handling PHI. Data processing terms included in all vendor contracts. Breach notification requirement in all vendor contracts. Annual review schedule established for all Tier 1 vendors. Vendor breach response scenarios documented.
Find out where your vendor risk management and compliance program has gaps. A Compliance Gap Analysis evaluates your BAA status, vendor risk posture, and regulatory readiness — delivered in 48 hours for $27.