Vendor Risk Assessment Template

What's included

• Vendor metadata block (name, services, data classification, business owner)
• Risk classification tier (Critical / High / Medium / Low) — drives depth of review
• Security risk section (certifications, encryption, access controls, incident history)
• Financial risk section (financial health, concentration, insurance)
• Operational risk section (SLA, uptime, geographic concentration, key-person)
• Concentration risk section (% of category spend, switching cost, replaceability)
• Data privacy section (PII handling, regions, breach notification)
• Scoring rubric (1–5 per category, weighted total)
• Remediation requirements (must-fix before approval, monitor list)
• Review cadence and re-assessment trigger
• Approval block

How to use this template

1. 1. Classify the vendor BEFORE assessing them

   A vendor that handles PII or runs in your production environment is Critical-tier and gets a full assessment. A SaaS tool used by one team for $200/month is Low-tier and gets a 15-minute check. Match the depth of assessment to the risk classification — full Critical-tier reviews on every vendor create assessment fatigue and missed risks.

2. 2. Ask for evidence, not assertions

   Vendors will check every box on a self-assessment. Ask for evidence: current SOC 2 Type II report, penetration test results from the last 12 months, IRS-stamped articles of incorporation, current insurance certificates. Assertions without evidence get a score of 1 on that line.

3. 3. Score concentration risk separately

   Concentration risk is the single most under-assessed category. If a vendor is 40% of your category spend, or running a service with no realistic substitute, that vendor is high-risk regardless of how secure they are. The template gives concentration its own section so it doesn't hide inside operational risk.

4. 4. Set re-assessment triggers

   Risk assessments go stale fast. Build in triggers: annual re-assessment for Critical and High tiers, biennial for Medium, on-request for Low. Also re-assess on event triggers: material breach, M&A, ownership change, key personnel departure, expanded scope of services.

5. 5. Maintain the central risk register

   Individual assessments are useful; a central register of all vendor risks is more useful. Aggregate the assessments into a single spreadsheet sorted by risk tier and category. That register is what your SOC 2 auditor will ask for first.

Who it's for

• Security and compliance teams running structured vendor onboarding
• Operations leaders evaluating critical vendors
• Companies preparing for SOC 2 or ISO 27001 audits
• CISOs in regulated industries (financial services, healthcare, education)

Frequently asked questions

When do I need to run a vendor risk assessment?

For Critical and High-tier vendors: before contract signature, and at least annually thereafter. For Medium-tier: at signature and biennially. For Low-tier: a 15-minute lightweight check at signature is usually enough. Event triggers (breach, M&A, expanded scope) also drive ad-hoc re-assessments regardless of tier.

What counts as a "Critical-tier" vendor?

Three tests: (1) the vendor processes or stores PII / customer data; (2) the vendor runs in your production environment; or (3) the vendor is in the failure path of revenue. Any one of these makes the vendor Critical. Examples: cloud infrastructure, identity providers, payment processors, key SaaS systems of record.

How is vendor risk assessment different from vendor scorecard?

Risk assessment is a one-time (or annual) evaluation of risk EXPOSURE — what could go wrong. Vendor scorecard is an ongoing evaluation of vendor PERFORMANCE — what is going wrong (or right) right now. Both matter. Risk assessment runs before the vendor is approved and at re-assessment cadence; scorecards run on the regular vendor-management cadence.

Do I need a vendor risk assessment for SOC 2?

Yes — vendor risk management is a required category under the Trust Services Criteria (specifically CC1 and CC9). Auditors will ask for: the vendor risk policy, the risk assessment process, the central register, and evidence that critical vendors were assessed. The template here covers the assessment side; you'll also need a policy document.

Should we share the assessment with the vendor?

The assessment itself: usually no — it includes internal commentary, concentration analysis, and remediation requirements. But share specific findings that require vendor action: missing certifications, security gaps, contract terms that need renegotiation. Vendors who get specific feedback can fix things; vendors who get a black-box "you failed" cannot.