Free Excel download • Edit online • Save & share with Drive • Export to PDF
A Vendor Risk Assessment is a structured due diligence document used to evaluate the information security, data privacy, financial stability, and operational resilience of a third-party supplier or service provider before or during an active business relationship. It assigns the vendor a risk tier, records evidence of their controls and certifications, identifies control gaps, and captures remediation commitments — creating a formal, signed record that supports procurement decisions, contract negotiations, and regulatory audits. Unlike an informal vendor questionnaire, a completed risk assessment is a binding document executed by authorized signatories on both sides.
Without a documented vendor risk assessment, your organization has no formal basis for knowing whether a supplier can adequately protect your data, maintain service continuity, or meet the compliance obligations you are ultimately accountable for — even when the risk originates with the vendor. Regulators under HIPAA, GDPR, PCI DSS, and financial services frameworks can hold you liable for a third-party breach you failed to assess or prevent through contractual controls. A vendor who goes insolvent, suffers a ransomware attack, or quietly adds an unvetted subprocessor in a non-adequate jurisdiction can cause operational disruptions, regulatory penalties, and reputational damage that land squarely on your balance sheet. This template provides the structured framework to document every material risk factor, assign accountability for remediation, and create a defensible audit trail — so that if something does go wrong, you have evidence of the due diligence you performed, not a gap where it should have been.
| If your situation is… | Use this template |
|---|---|
| Assessing a SaaS or cloud software provider with access to internal data | IT Vendor Risk Assessment |
| Evaluating a supplier of physical goods or raw materials | Supplier Evaluation Form |
| Onboarding a vendor who will process personal data on your behalf | Data Processing Agreement |
| Formalizing the commercial relationship after the assessment is complete | Vendor Agreement |
| Assessing financial services or payment processing vendors | Third-Party Risk Assessment (Financial Services) |
| Requiring a vendor to self-certify their security posture annually | Vendor Security Questionnaire |
| Ending a relationship with a vendor who failed the assessment | Vendor Termination Letter |
Why it matters: A vendor claiming SOC 2 compliance without providing the actual Type II report may have failed key trust service criteria — leaving your organization exposed to risks you believed were controlled.
Fix: Require the underlying audit report or certification, not just a checkbox confirmation. Review the scope, period covered, and any qualified or adverse opinions before recording compliance.
Why it matters: A vendor's security posture, ownership structure, financial health, and regulatory status can change significantly within 12 months. An unreviewed assessment provides false assurance and may fail a regulatory audit.
Fix: Record a specific reassessment date in the sign-off clause and assign an internal owner responsible for triggering the review. Tie the frequency to the vendor's risk tier.
Why it matters: GDPR requires notification to regulators within 72 hours of discovering a breach. If your vendor has no contractual notification obligation, you may miss that window and face regulatory penalties.
Fix: Include an explicit breach notification clause specifying a timeline of 24–48 hours for critical vendors and 72 hours maximum for all others, with a named contact at your organization.
Why it matters: Conditional approvals without a follow-up mechanism mean identified gaps are never closed — the vendor onboards with known control failures, and the assessment becomes a document trail of what you knew and ignored.
Fix: Record each conditional remediation item with a specific deadline, a named vendor contact responsible for completion, and a gate in your onboarding workflow that prevents full approval until evidence of closure is received.
Why it matters: Inconsistent risk tier assignments mean your highest-risk vendors may receive lighter oversight than lower-risk ones, creating blind spots in your third-party risk program and undermining regulatory credibility.
Fix: Attach a scored rubric as Schedule A — weight factors such as data sensitivity, access level, geographic location, and operational criticality, then calculate the tier from the total score.
Why it matters: A vendor who adds a new subprocessor in a non-adequate jurisdiction without notice can create unlawful cross-border data transfers and GDPR liability for your organization, even though you took no direct action.
Fix: Include an explicit clause requiring 30 days' prior written notice of any new subcontractor engagement, with a right to object or terminate if the change creates unacceptable risk.
In plain language: Records the vendor's full legal name, corporate registration, primary contact, and the exact nature and scope of the services they will provide.
[VENDOR LEGAL NAME], registered in [JURISDICTION] (Registration No. [NUMBER]), provides [DESCRIPTION OF SERVICES] to [COMPANY NAME] under [AGREEMENT NAME] dated [DATE]. Scope of access: [DATA TYPES / SYSTEMS ACCESSED].
Common mistake: Describing services in general terms like 'IT support' instead of specifying which systems, data types, and access levels are involved — making risk tier classification impossible.
In plain language: Assigns the vendor to a risk tier (Critical, High, Medium, or Low) based on the sensitivity of data accessed, criticality to operations, and regulatory exposure.
Based on the assessment criteria in Schedule A, [VENDOR NAME] is classified as a [CRITICAL / HIGH / MEDIUM / LOW] risk vendor, requiring [ANNUAL / BIANNUAL / TRIENNIAL] reassessment and [LEVEL] controls monitoring.
Common mistake: Assigning risk tiers subjectively without a scoring rubric — two assessors then classify the same vendor differently, undermining the consistency regulators expect to see.
In plain language: Documents the vendor's security certifications, access controls, encryption standards, vulnerability management practices, and penetration testing cadence.
Vendor holds [ISO 27001 / SOC 2 Type II / OTHER] certification valid through [DATE]. Data is encrypted at rest using [AES-256 / OTHER] and in transit using [TLS 1.2+]. Penetration testing is conducted [ANNUALLY / BIANNUALLY] by [THIRD PARTY FIRM NAME].
Common mistake: Accepting a vendor's self-attestation on security controls without requesting the underlying audit report or certificate. A claim of 'SOC 2 compliance' is meaningless without reviewing the actual Type II report.
In plain language: Confirms the vendor's compliance with applicable data protection laws and records any certifications, DPA execution, cross-border transfer mechanisms, and breach notification timelines.
Vendor confirms compliance with [GDPR / CCPA / HIPAA / PIPEDA] as applicable. A Data Processing Agreement has been executed on [DATE]. Cross-border transfers are governed by [Standard Contractual Clauses / Adequacy Decision]. Breach notification will occur within [72 / 48 / 24] hours of discovery.
Common mistake: Omitting the breach notification timeline from the assessment, then discovering during an incident that the vendor's contract has no defined notification window and their default is 30 days — far too slow under GDPR and HIPAA.
In plain language: Captures the vendor's documented BCP/DRP, RTO and RPO commitments, geographic redundancy, and last test date for recovery procedures.
Vendor maintains a documented Business Continuity Plan last tested on [DATE]. Recovery Time Objective (RTO): [X] hours. Recovery Point Objective (RPO): [X] hours. Primary infrastructure located in [REGION]; failover in [REGION].
Common mistake: Recording that a BCP exists without asking for the last test date or test results — a plan that has never been tested provides no real assurance of recovery capability.
In plain language: Documents evidence of the vendor's financial health — audited financials, credit ratings, insurance certificates, and any known insolvency or litigation risk — to assess concentration and continuity risk.
Vendor has provided [AUDITED FINANCIALS / CREDIT REPORT / DUNS SCORE] for the most recent fiscal year ending [DATE]. Cyber liability insurance: $[AMOUNT] per occurrence. General liability: $[AMOUNT]. No pending insolvency proceedings or material litigation confirmed as of [DATE].
Common mistake: Skipping financial due diligence for vendors providing non-critical services, then discovering a sole-source supplier has entered insolvency — causing an unplanned operational disruption with no qualified backup.
In plain language: Requires the vendor to disclose all subcontractors and sub-processors who will touch your data or contribute to service delivery, and confirm that the same security standards apply to them.
Vendor discloses the following subcontractors/subprocessors: [LIST]. Vendor confirms that each subcontractor is bound by data protection and security obligations no less stringent than those in this Assessment. Any addition of a subcontractor requires [30 DAYS'] prior written notice to [COMPANY NAME].
Common mistake: Not requiring prior notice of subcontractor changes — a vendor quietly switches to a sub-processor in a non-adequate country, creating an unlawful cross-border transfer the company only discovers during an audit.
In plain language: Defines what constitutes a security incident, the notification timeline, the communication channel, and the vendor's obligations to cooperate in investigation and remediation.
Vendor shall notify [SECURITY CONTACT NAME / EMAIL] within [24 / 48 / 72] hours of discovering any actual or suspected Security Incident affecting [COMPANY NAME] data or systems. Notification shall include: incident description, affected data, remediation steps taken, and estimated impact.
Common mistake: Defining 'incident' so narrowly (e.g., only confirmed breaches) that suspected incidents and near-misses are never reported — leaving the company blind to warning signs before a major event occurs.
In plain language: Presents the overall risk score derived from the assessment, identifies any control gaps, and records the vendor's commitments to close those gaps by specified deadlines before or after onboarding.
Overall Risk Score: [SCORE] / [MAXIMUM]. Critical Gaps Identified: [NUMBER]. Vendor commits to remediate the following gaps by [DATE]: [GAP 1], [GAP 2]. Engagement approval is [CONDITIONAL UPON / NOT CONTINGENT ON] remediation completion.
Common mistake: Approving vendor onboarding before remediation deadlines are met and without a documented conditional approval process — removing all leverage to actually compel the vendor to close the identified gaps.
In plain language: Records the authorized signatories from both parties who certify the accuracy of the assessment, and commits both sides to the next reassessment date and the process for material changes.
The undersigned certify that the information provided is accurate and complete as of [DATE]. This Assessment shall be reviewed on [DATE] or upon any material change in the vendor's services, security posture, or applicable regulations, whichever occurs first. [COMPANY AUTHORIZED SIGNATORY] / [VENDOR AUTHORIZED SIGNATORY].
Common mistake: Treating the assessment as a one-time intake form with no review schedule — vendors assessed at onboarding are never reassessed, even after major changes to their infrastructure, ownership, or regulatory exposure.
Enter the vendor's full legal name, registration details, and a precise description of the services they will provide, including which data types and internal systems they will access.
💡 Be specific about access levels — 'read-only access to customer PII in the CRM' is a materially different risk profile from 'administrative access to the production database.'
Apply your organization's risk tiering rubric — based on data sensitivity, regulatory exposure, and operational criticality — to assign a Critical, High, Medium, or Low tier. Document the scoring rationale.
💡 Any vendor with access to personal data, payment card data, or systems classified as business-critical should default to at least High unless controls demonstrably lower the residual risk.
Ask the vendor to provide their most recent SOC 2 Type II report, ISO 27001 certificate, penetration test summary, and any other applicable security documentation. Record the certification scope, date, and expiry.
💡 A SOC 2 Type II report covers a period of at least six months. A report older than twelve months offers limited current assurance — request a bridge letter if the new period report is not yet available.
Confirm the applicable privacy laws (GDPR, CCPA, HIPAA, PIPEDA) and record whether a Data Processing Agreement has been executed, what transfer mechanisms govern cross-border data flows, and what the vendor's breach notification timeline is.
💡 If the vendor processes EU personal data and is located outside the EU, confirm that Standard Contractual Clauses or another transfer mechanism is in place before completing this section.
Record the vendor's RTO and RPO commitments, last BCP test date, geographic redundancy, and evidence of financial health including insurance certificates and recent financials.
💡 For critical vendors, require a copy of the BCP test report, not just confirmation that a test occurred. Summary results take 15 minutes to review and provide far stronger assurance.
Have the vendor list all subcontractors and sub-processors involved in service delivery. Confirm each is bound by equivalent security and privacy obligations and that you will be notified before any changes.
💡 Cross-reference the vendor's disclosed subprocessors against their public privacy policy or DPA — discrepancies may indicate undisclosed processing relationships.
Calculate the overall risk score using your rubric, identify control gaps, and record specific remediation commitments with deadlines. Mark approval as conditional if critical gaps remain open.
💡 Assign ownership of each remediation item — a gap with no named owner and no deadline will remain open indefinitely.
Have an authorized signatory from both your organization and the vendor certify the assessment. Record the next review date based on the vendor's risk tier and commit both parties to the process for material change notifications.
💡 Calendar the reassessment date immediately after signing. High-risk vendor assessments should be reviewed annually; critical vendors every six months.
A vendor risk assessment is a structured process and document used to evaluate the risks a third-party supplier or service provider poses to your organization before or during a business relationship. It covers information security, data privacy compliance, financial stability, business continuity, and operational controls. The completed assessment creates a documented risk record that supports vendor approval decisions, contractual obligations, and regulatory audits.
Complete a vendor risk assessment before onboarding any new vendor who will access your data, systems, or critical operations. Reassess existing vendors on a schedule tied to their risk tier — annually for high-risk vendors, every six months for critical ones — and whenever a vendor undergoes a material change such as an acquisition, a significant change to their service scope, or a reported security incident.
Responsibility typically falls to a combination of procurement, IT security, legal, and compliance teams, depending on the organization's size and structure. In smaller organizations, the owner or operations manager often conducts the assessment with input from an IT advisor. In regulated industries, a dedicated third-party risk management function typically owns the process. Both parties — the assessing company and the vendor — must certify the assessment at completion.
A vendor security questionnaire is a list of questions a vendor self-completes to describe their security controls — it is an input to the risk assessment process, not the assessment itself. A vendor risk assessment is the broader document that incorporates the questionnaire responses alongside independent verification, financial due diligence, compliance documentation, and a risk scoring summary. The assessment results in a formal approval decision and a documented remediation plan.
In regulated industries, documented third-party risk assessments are typically required by law or regulation. HIPAA requires covered entities to assess the risks posed by business associates. GDPR requires controllers to verify that processors provide sufficient guarantees. PCI DSS requires service provider due diligence. Financial services regulators in the US (OCC, FFIEC), UK (FCA), and EU (EBA) all publish third-party risk management guidance that effectively mandates documented assessments for material vendor relationships.
Most organizations use a four-tier system: Critical (vendors providing essential services or accessing the most sensitive data, such as core banking platforms or cloud infrastructure), High (vendors with significant data access or operational impact), Medium (vendors with limited data access and manageable service impact), and Low (vendors with no data access and minimal operational exposure, such as stationery suppliers). The tier determines assessment frequency, control requirements, and escalation procedures.
A failed assessment does not automatically disqualify a vendor — it triggers a remediation process. Critical or unacceptable gaps should be documented and the vendor should be given a conditional approval with specific remediation deadlines. If gaps are not closed by those deadlines, the engagement should not proceed or should be terminated. In some cases, compensating controls on your side (additional encryption, network segmentation, or contractual indemnification) can reduce residual risk to an acceptable level.
Under GDPR, any vendor who processes personal data on your behalf is a data processor, and you — as the data controller — are legally required to ensure they provide sufficient guarantees of appropriate technical and organizational measures. This means conducting documented due diligence before engagement, executing a Data Processing Agreement, verifying cross-border transfer mechanisms, and confirming breach notification timelines of no more than 72 hours. Failure to conduct this due diligence exposes you to regulatory action, even if the breach originated with the vendor.
Review frequency should be tied to risk tier: critical vendors every six months, high-risk vendors annually, medium-risk vendors every two years, and low-risk vendors every three years or upon material change. Trigger an immediate out-of-cycle review whenever a vendor reports a security incident, undergoes a merger or acquisition, changes their subprocessor arrangements, or enters a new regulatory environment.
A vendor agreement is the commercial contract that governs price, deliverables, and liability in a vendor relationship. A vendor risk assessment is the pre-contractual or ongoing due diligence document that evaluates whether the vendor is safe to engage at all. The assessment should be completed before the agreement is signed — the agreement then incorporates obligations identified in the assessment, such as breach notification timelines and subcontractor change notice requirements.
A Data Processing Agreement is a mandatory contract under GDPR and similar privacy laws between a data controller and a data processor, governing how personal data is handled. A vendor risk assessment is a broader due diligence document covering security, financial, operational, and compliance risk — not limited to personal data. The DPA is typically executed as a result of the risk assessment identifying a vendor as a data processor.
An NDA protects confidential information shared during vendor discussions by creating a legal obligation of secrecy. It does not evaluate the vendor's ability to actually protect that information in practice. A vendor risk assessment provides the operational and technical evidence that the vendor's security controls are adequate — the NDA and the assessment serve complementary but distinct purposes.
A Business Impact Analysis (BIA) evaluates the consequences of disruptions to your own internal processes and prioritizes recovery order. A vendor risk assessment evaluates the risk posed by an external party and their controls. Where a vendor is identified as critical in a BIA, the vendor risk assessment provides the detailed evidence needed to validate or challenge that vendor's resilience and continuity commitments.
Regulatory guidance from the OCC, FFIEC, FCA, and EBA mandates documented third-party risk programs covering concentration risk, exit strategies, and ongoing monitoring of critical service providers.
HIPAA requires a Business Associate Agreement and documented risk analysis for any vendor touching protected health information; gaps expose covered entities to OCR enforcement and breach notification obligations.
SaaS companies assessing infrastructure and API vendors must evaluate uptime SLAs, cloud provider redundancy, SOC 2 Type II coverage, and subprocessor chains that may span multiple jurisdictions.
PCI DSS compliance requires documented assessment of all service providers who store, process, or transmit cardholder data, including payment gateways, fulfillment partners, and loyalty platform vendors.
Law firms, accountancies, and consultancies handling client-confidential data must assess document management, collaboration, and cloud storage vendors against privilege and confidentiality obligations.
Supply chain concentration risk and operational technology (OT) security are the primary assessment focus, particularly for sole-source suppliers and vendors with remote access to production systems.
No single federal law mandates vendor risk assessments universally, but sector-specific requirements are extensive. HIPAA requires covered entities to conduct a risk analysis of all vendors handling PHI. FFIEC and OCC guidance requires banks to maintain documented third-party risk programs. CCPA and state privacy laws require contracts with service providers that restrict use of personal data. The SEC has proposed rules on cybersecurity risk management that include third-party exposure.
PIPEDA and its provincial equivalents require organizations to use contractual or other means to ensure comparable protection of personal information when transferred to third parties. OSFI Guideline B-10 mandates documented third-party risk management for federally regulated financial institutions, including concentration risk assessments and exit planning. Quebec's Law 25 (Bill 64) imposes additional privacy impact assessment requirements for vendors processing Quebec residents' data.
UK GDPR retains the same controller-processor due diligence requirements as EU GDPR post-Brexit, requiring documented vendor assessments for processors of UK personal data. The FCA's Operational Resilience Policy Statement (PS21/3) requires regulated firms to map and assess all third parties supporting important business services. The UK Cyber Essentials scheme is increasingly referenced as a minimum security baseline for government and financial services vendor assessments.
GDPR Article 28 requires data controllers to conduct due diligence before engaging any processor and to formalize the relationship with a Data Processing Agreement. DORA (Digital Operational Resilience Act), effective January 2025, requires financial entities in the EU to implement comprehensive ICT third-party risk management programs, including pre-engagement assessments, contractual requirements, and exit strategies for critical providers. Cross-border transfers to non-adequate countries require Standard Contractual Clauses or Binding Corporate Rules, verified during the assessment.
| Path | Best for | Cost | Time |
|---|---|---|---|
| Use the template | Small businesses and startups screening low-to-medium risk vendors with no regulatory mandate | Free | 1–3 hours per vendor assessment |
| Template + legal review | Organizations in regulated industries or assessing high-risk vendors with access to sensitive data | $500–$1,500 for a legal or compliance advisor review | 3–5 business days |
| Custom drafted | Enterprises with formal third-party risk programs, critical vendor relationships, or multi-jurisdictional regulatory obligations | $2,000–$8,000 for a bespoke program built by a risk management consultant or law firm | 2–6 weeks |
This document is one of 3,000+ business & legal templates included in Business in a Box.
Access over 3,000+ business and legal templates for any business task, project or initiative.
Customize your ready-made business document template and save it in the cloud.
Share your files and folders with your team. Create a space of seamless collaboration.
"Fantastic value! I'm not sure how I'd do without it. It's worth its weight in gold and paid back for itself many times."
"I have been using Business in a Box for years. It has been the most useful source of templates I have encountered. I recommend it to anyone."
"It has been a life saver so many times I have lost count. Business in a Box has saved me so much time and as you know, time is money."
Stop downloading documents. Start operating with clarity. Business in a Box gives you the Business Operating System used by over 250,000 companies worldwide to structure, run, and grow their business.
Free Forever Plan · No credit card required
