Vendor Risk Assessment: How to Evaluate Third-Party Security in 2026

A vendor risk assessment evaluates the security, compliance, and operational risks that a third-party vendor introduces to your organization. It's the process that determines whether you can trust a vendor with your data, your customers' data, or access to your systems — and what controls are needed to manage the risk if you do.

Every major compliance framework requires it: ISO 27001 (Annex A 5.19-5.21), NIS2 (Article 21(2)(d)), DORA (Articles 28-30), and SOC 2 (CC9.2). But beyond compliance, vendor risk assessments are what prevent your organization's security from being only as strong as your weakest supplier.

This guide covers how to conduct vendor risk assessments, what to evaluate, how to score risk, and how to build a process that scales.

---

Why Vendor Risk Assessment Matters

The Supply Chain Problem

Your security perimeter doesn't end at your firewall. Every vendor with access to your data or systems extends your attack surface. The pattern is well-established:

• Vendors with privileged access become entry points for attackers
• Data shared with vendors becomes subject to their security controls, not yours
• Vendor downtime becomes your downtime when services are tightly integrated
• Vendor compliance gaps become your compliance gaps when regulators examine your supply chain

Regulatory Pressure

European regulations have made vendor risk assessment non-optional:

• NIS2 Article 21(2)(d) — Supply chain security is one of ten mandatory risk management measures
• DORA Articles 28-30 — Detailed requirements for ICT third-party risk management, including risk assessment before contracting
• ISO 27001 Annex A 5.19-5.21 — Three controls specifically addressing supplier security
• GDPR Article 28 — Data controllers must only use processors providing sufficient guarantees of appropriate technical and organizational measures

---

When to Conduct a Vendor Risk Assessment

Pre-Contract (Due Diligence)

Before signing any contract with a vendor that will:

• Access, process, or store your data
• Connect to your internal systems or networks
• Provide services critical to your operations
• Handle personal data on your behalf

Periodic Review

During the vendor relationship:

• Critical vendors — Annually
• High-risk vendors — Every 12-18 months
• Standard vendors — Every 2 years
• Low-risk vendors — Every 3 years or at contract renewal

Triggered Review

Whenever significant changes occur:

• Vendor experiences a security incident or data breach
• Vendor's scope of access or services changes
• Vendor undergoes a merger, acquisition, or significant organizational change
• New regulatory requirements take effect
• Vendor's certification or audit status changes

---

What to Evaluate

1. Information Security Controls

Assess the vendor's technical and organizational security measures:

Area	What to Evaluate
Access management	Authentication methods, role-based access, privileged access controls, access reviews
Encryption	Data at rest, data in transit, key management, encryption standards used
Network security	Segmentation, firewall policies, intrusion detection, DDoS protection
Vulnerability management	Scanning frequency, patching timelines, penetration testing cadence
Incident response	Response plan, notification timelines, communication procedures
Logging and monitoring	Audit log retention, monitoring capabilities, anomaly detection

2. Compliance and Certifications

Verify the vendor's compliance posture:

• Certifications — ISO 27001, SOC 2 Type II, ISO 27701
• Audit reports — Most recent SOC 2 report, ISO 27001 surveillance audit results
• Regulatory compliance — GDPR, NIS2, DORA status
• Penetration test results — Most recent test date, scope, and remediation status
• Compliance gaps — Any known non-conformities or remediation plans

3. Data Handling

Understand how the vendor manages your data:

• Data classification — How they categorize and protect different data types
• Data location — Where data is stored and processed (regions, data centres)
• Data residency — Whether data stays within required jurisdictions (EU, specific countries)
• Sub-processing — Whether the vendor shares data with additional third parties
• Retention and deletion — How long data is kept and how it's securely deleted
• Portability — How data can be exported when the relationship ends

4. Business Continuity

Evaluate the vendor's resilience:

• Disaster recovery — Recovery time and recovery point objectives (RTO/RPO)
• Backup procedures — Frequency, testing, geographic distribution
• Redundancy — Infrastructure redundancy, failover capabilities
• SLA guarantees — Uptime commitments and breach consequences
• Exit strategy — Data migration support, transition assistance, notice periods

5. Financial and Operational Stability

Assess the vendor's viability:

• Financial health — Revenue trends, funding status, profitability indicators
• Market position — Customer base, industry reputation, competitive standing
• Operational maturity — Team size, key person dependencies, process maturity
• Insurance — Cyber liability insurance coverage and limits

6. Subcontractor Risk

Evaluate the vendor's own supply chain:

• Sub-processor list — Who the vendor relies on for critical services
• Sub-processor assessment — How the vendor evaluates its own suppliers
• Notification process — How you're informed of sub-processor changes
• Contractual flow-down — Whether security requirements extend to sub-processors

---

How to Score Vendor Risk

Step 1: Determine Inherent Risk

Inherent risk is the risk level before considering the vendor's controls. It's based on the nature of the relationship:

Factor	Low	Medium	High	Critical
Data sensitivity	Public data only	Internal data	Confidential data	Regulated personal data
Data volume	Minimal	Moderate	Significant	Large-scale processing
System access	No direct access	Read-only access	Read-write access	Administrative access
Service criticality	Nice-to-have	Important	Business-critical	Essential operations
Replaceability	Easy to switch	Some effort	Difficult	Lock-in risk

Step 2: Evaluate Control Effectiveness

Control effectiveness measures how well the vendor mitigates the inherent risk:

• Strong — Certified (ISO 27001, SOC 2 Type II), clean audit reports, mature processes
• Adequate — Good controls in place, some certifications, regular testing
• Weak — Basic controls, no certifications, limited evidence
• Insufficient — Significant gaps, no evidence of controls, unresponsive to requests

Step 3: Calculate Residual Risk

Residual risk combines inherent risk with control effectiveness:

	Strong Controls	Adequate Controls	Weak Controls	Insufficient Controls
Critical inherent	High	High	Critical	Critical
High inherent	Medium	High	High	Critical
Medium inherent	Low	Medium	High	High
Low inherent	Low	Low	Medium	High

Step 4: Determine Actions

Each residual risk level triggers specific actions:

• Low — Approve, standard monitoring, periodic review
• Medium — Approve with conditions, additional controls may be required, regular monitoring
• High — Senior management approval required, mandatory additional controls, frequent monitoring
• Critical — Executive approval required, consider alternatives, continuous monitoring, risk must be formally accepted

---

Building a Scalable Process

Tiered Assessment Approach

Not every vendor needs the same depth of assessment. Use a tiered approach:

Tier 1 — Full assessment (Critical and high-risk vendors)

• Comprehensive security questionnaire
• Independent verification (audit reports, certifications, pen test results)
• On-site or virtual assessment if warranted
• Risk scoring and formal risk acceptance

Tier 2 — Standard assessment (Medium-risk vendors)

• Security questionnaire
• Certification and compliance verification
• Risk scoring

Tier 3 — Lightweight assessment (Low-risk vendors)

• Basic security checklist
• Public compliance information review

Evidence Sources

Don't rely solely on vendor self-reporting. Use multiple evidence sources:

1. Security questionnaires — The vendor's own responses (baseline input)
2. Certifications — ISO 27001 certificates, SOC 2 reports (independent verification)
3. Trust Centers — Published security documentation and compliance evidence
4. Security ratings — External risk scoring services
5. Contractual provisions — Security clauses, SLAs, data processing agreements
6. Continuous monitoring — Ongoing assessment between periodic reviews

Common Mistakes

1. Treating assessment as a one-time event. Vendor risk changes continuously — certifications expire, incidents occur, vendors change sub-processors. Build in periodic reassessment and continuous monitoring.

2. Relying only on questionnaire responses. Vendor self-assessment is necessary but not sufficient. Verify claims with certifications, audit reports, and independent evidence.

3. Assessing all vendors the same way. A SaaS vendor processing customer data needs a different assessment than an office supplies vendor. Tiered assessment prevents both over- and under-assessment.

4. No follow-up on identified risks. Finding risks is only useful if you track remediation. Document identified gaps, agreed remediation timelines, and verification of fixes.

5. Ignoring sub-processor risk. Your vendor's vendors are part of your supply chain. NIS2 and DORA explicitly require considering the entire chain, not just direct suppliers.

---

Meeting Framework Requirements

ISO 27001

Annex A controls 5.19-5.21 require:

• A policy for managing supplier relationships (5.19)
• Security requirements established and agreed with suppliers (5.20)
• Managing information security in the ICT supply chain (5.21)

Evidence needed: vendor assessment records, supplier security policies, contractual security clauses, periodic review documentation.

NIS2

Article 21(2)(d) requires supply chain security measures including:

• Security-related assessments of direct suppliers and service providers
• Consideration of supplier-specific vulnerabilities
• Evaluation of cybersecurity practices of suppliers
• Consideration of coordinated supply chain risk assessments

DORA

Articles 28-30 establish detailed ICT third-party risk management requirements:

• Pre-contractual assessment of ICT third-party service providers
• Key contractual provisions for ICT services
• Ongoing monitoring of ICT third-party risk
• Exit strategies for critical ICT services

---

From Assessment to Evidence

Vendor risk assessments generate valuable compliance evidence — but only if properly documented and accessible:

• Assessment records — Completed questionnaires, risk scores, approval decisions
• Verification documents — Certificates, audit reports, penetration test summaries
• Risk treatment — Documented decisions on risk acceptance, additional controls required
• Monitoring records — Ongoing assessment results, incident notifications, certification status changes

A Trust Center streamlines both sides of vendor assessment — publish your own security evidence for your customers' assessments, and access vendor documentation for your own due diligence.

---

How Orbiq Supports Vendor Risk Assessments

• Trust Center: Publish your security posture, certifications, and compliance evidence so your customers can assess your risk without manual questionnaire rounds
• AI-Powered Questionnaires: Automatically respond to incoming vendor assessment questionnaires using your verified compliance evidence
• Continuous Monitoring: Track vendor certification status, security changes, and compliance gaps between assessments
• Evidence Management: Centralize vendor assessment documentation, audit reports, and risk acceptance records

---

Further Reading

• Third-Party Risk Management — Building a comprehensive TPRM programme
• Information Security Policy — The foundation document for vendor security requirements
• NIS2 Supply Chain Security — NIS2's specific supply chain requirements
• Compliance Automation — Automating evidence collection for vendor assessments

---

This guide is maintained by the Orbiq team. Last updated: March 2026.