Along with creating a solid risk management plan for your organization, the same must be done for your organization’s third-party vendors.

Anytime your organization decides to work with a new vendor, you’re taking on any potential threats or risks posed by that company and its digital counterparts. This is why it’s vital to conduct a vendor risk assessment for each company for the lifecycle of their involvement with your organization.

How do you do a vendor risk assessment?

While it may be fairly straightforward to conduct your own organization’s internal risk assessment, it will require more legwork to ensure third-party risk management. The vetting process requires due diligence and a careful review of each vendor’s cybersecurity management.

Beyond assessing the vendor’s systems and policies, procedures must be carefully reviewed to check for security weaknesses. Use your own organization’s information security risk assessment checklist to see how each vendor compares—each new business partner should adhere to the same security standards your company follows.


To help determine appropriate security standards, use the below checklist as a guide for assessing new vendors.

Check cloud service configurations

Cloud misconfigurations can be a major source of data breaches—ensure all vendor’s cloud assets are configured correctly to avoid data breaches. The most common misconfiguration errors include unencrypted sensitive information published in the public domain.


Vendors should demonstrate that all stored, collected, or transmitted data is done using the Advanced Encryption Standard (AES) best practices. This applies to both employees’ and customers’ private information.

Secure applications

For vendors using web applications, ensure their cloud systems and portals are secure and can protect against cybersecurity attacks.

Protected access

Ensure your vendor’s employees are only able to access the information and resources necessary for them to do their jobs. Maintain segregation of duties to avoid conflicts of interest, and keep tabs on procedures that review user access.

Review incident response

One great way to vet a vendor is by researching how that company has handled incidents in the past. Review each vendor’s history of incident responses, as well as their systems for ongoing monitoring and alert-tracking.

Secure password access

Another important factor is password access: Rather than a single point-of-entry password, ensure each third-party vendor uses multi-factor authentication (MFA) to further protect information security.

Spam and antivirus software

Each vendor should use reliable spam and antivirus software to protect against phishing and malware. It’s common for cyberattackers to include malware in phishing emails—check that vendors install firewalls on all devices that connect to their networks.

What should be in a vendor management policy?

When developing your organization’s vendor management policy, ensuring a bulletproof IT ecosystem is vital. Senior management should carefully assess each new vendor, from assuring they use the best cybersecurity methods to guaranteeing they adhere to compliance requirements.

Your policy should establish minimum requirements for specific areas including human resources, network, and data security, access control, IT acquisition, and maintenance. Vendors should also be required to have their own risk management program which outlines their incident response plan, business continuity, and disaster recovery responsibilities. 

Each vendor management policy should detail vendor compliance and review requirements, including SOC 2 audits and/or site visits.

Your vendor management policy should help your organization identify which vendors may put your organization at risk and whether a third-party vendor should have access to sensitive company data.

Choosing the right vendors should be a thorough process for your team: Beyond exhibiting excellent information security protocols, each new vendor should be able to show its own procedural risk management policies. 

Your vendor connections could have the power to rapidly accelerate your business objectives, but they must first be vetted to avoid unnecessary risk for your organization.