What should a vendor risk assessment template include?

A complete vendor risk assessment template should cover six domains: (1) Information security controls — access management, encryption, vulnerability management, incident response; (2) Compliance and certifications — ISO 27001, SOC 2, GDPR, NIS2/DORA status; (3) Data handling — data location, sub-processors, retention and deletion; (4) Business continuity — disaster recovery, backup procedures, SLA guarantees; (5) Financial and operational stability — insurance, key person risk, vendor viability; (6) Subcontractor risk — sub-processor list and how the vendor assesses its own supply chain.

How do I score a vendor risk assessment?

Vendor risk scoring uses a two-dimension matrix: Inherent risk (based on data sensitivity, data volume, system access, and service criticality — rated Low/Medium/High/Critical) combined with Control effectiveness (based on certifications, audit reports, and verified controls — rated Strong/Adequate/Weak/Insufficient). The combination gives a residual risk level that determines approval requirements and monitoring frequency.

Do I need a different template for different vendor types?

Yes. Use a tiered approach: Tier 1 (full assessment) for critical vendors with access to sensitive data or essential services; Tier 2 (standard assessment) for medium-risk vendors; Tier 3 (lightweight checklist) for low-risk vendors. The same template applied to every vendor results in both over-assessing low-risk vendors and under-assessing high-risk ones.

How often should I use the vendor risk assessment template?

Assessment frequency should be risk-based: critical vendors annually (plus continuous monitoring), high-risk vendors every 12–18 months, standard vendors every 2 years, low-risk vendors every 3 years or at contract renewal. Additionally, re-assess any vendor after a security incident, a material change in services, or when regulatory requirements change.

Is vendor risk assessment required for ISO 27001?

Yes. ISO 27001:2022 Annex A Controls 5.19, 5.20, and 5.21 require organizations to manage information security in supplier relationships, establish security requirements with suppliers, and manage ICT supply chain security. A documented vendor risk assessment process — with records of completed assessments — is mandatory evidence for certification audits.

What is the difference between a vendor risk assessment and a security questionnaire?

A security questionnaire is one input to a vendor risk assessment — it captures the vendor's self-reported controls. A vendor risk assessment is the broader process that combines questionnaire responses with independent verification (certifications, audit reports, penetration test results), risk scoring, and a formal risk acceptance decision. Questionnaire alone = what the vendor claims. Assessment = what you've verified and decided.

Vendor Risk Assessment Template: Free Checklist for 2026

2026-03-17

By Orbiq Team

Vendor Risk Assessment Template: Free Checklist for 2026

Free vendor risk assessment template with a complete checklist for security, compliance, data handling, and business continuity — covering ISO 27001, NIS2, and DORA requirements.

vendor-risk

template

third-party-risk

iso-27001

nis2

dora

Vendor Risk Assessment Template: Free Checklist for 2026

A vendor risk assessment is the structured process that determines whether a third party can be trusted with your data, systems, or services — and under what conditions. This page provides a complete, ready-to-use vendor risk assessment template covering all six evaluation domains, a scoring framework, and guidance on when and how to use it.

The template is designed to meet the requirements of ISO 27001 (Annex A 5.19–5.21), NIS2 (Article 21(2)(d)), and DORA (Articles 28–30).

Why a Structured Template Matters

Ad-hoc vendor assessments produce inconsistent results: the same vendor assessed by two team members may receive entirely different risk ratings. A standardized template ensures:

Consistency — every vendor is evaluated against the same criteria
Defensibility — documented assessments satisfy auditors and regulators
Scalability — repeatable processes can be delegated and automated
Comparability — structured data lets you compare vendor risk profiles over time

According to Bitsight's 2025 third-party risk report, only one in three organizations continuously monitor all third-party relationships for cyber risk [1]. The majority rely on point-in-time assessments — making a rigorous template the baseline minimum.

Before You Start: Classify the Vendor

Before applying the full template, classify the vendor to determine assessment depth. This prevents over-assessing low-risk vendors and under-assessing critical ones.

Inherent Risk Classification

Factor	Low	Medium	High	Critical
Data sensitivity	Public data only	Internal data	Confidential data	Regulated personal data
Data volume	Minimal	Moderate	Significant	Large-scale processing
System access	No direct access	Read-only	Read-write	Administrative/privileged
Service criticality	Nice-to-have	Supporting	Important	Business-critical / essential
Replaceability	Easy to switch	Some effort	Difficult	High lock-in

Overall inherent risk rating: Low / Medium / High / Critical

Assessment Tier

Inherent Risk	Assessment Tier	Template Sections Required
Critical	Tier 1 — Full	All six sections + independent verification
High	Tier 1 — Full	All six sections
Medium	Tier 2 — Standard	Sections 1–4
Low	Tier 3 — Lightweight	Section 1 summary + Section 2

The Template

Section 1: Information Security Controls

Rate each control area: ✅ Verified / ⚠️ Partial / self-attested / ❌ Not in place / N/A

1.1 Access Management

Control	Status	Notes / Evidence
Multi-factor authentication enforced for all accounts
Role-based access control (RBAC) implemented
Privileged access management (PAM) in place
Access reviews conducted (at least annually)
Joiners/movers/leavers process documented
Customer data access limited to need-to-know

1.2 Encryption

Control	Status	Notes / Evidence
Data encrypted at rest (AES-256 or equivalent)
Data encrypted in transit (TLS 1.2+ enforced)
Encryption key management process documented
Customer-controlled encryption keys available

1.3 Vulnerability Management

Control	Status	Notes / Evidence
Regular vulnerability scanning performed
Critical patches applied within defined SLA
Penetration test conducted within last 12 months
Pen test results and remediation available
Responsible disclosure / bug bounty program

1.4 Incident Response

Control	Status	Notes / Evidence
Documented incident response plan
Security incident notification SLA defined
Customer notification process for data breaches
Post-incident review process in place
Security operations / monitoring capability

1.5 Network and Infrastructure Security

Control	Status	Notes / Evidence
Network segmentation implemented
Firewall and intrusion detection systems
DDoS protection in place
Audit logs retained (minimum 12 months)
Change management process documented

Section 1 Summary:

Controls verified: ___ / 24
Critical gaps identified: ___
Control effectiveness rating: Strong / Adequate / Weak / Insufficient

Section 2: Compliance and Certifications

Certification / Framework	Status	Expiry / Last Audit	Report Available?
ISO 27001:2022	Certified / In progress / No
SOC 2 Type II	Completed / In progress / No
ISO 27701 (Privacy)	Certified / No
GDPR compliance	Documented / Partial / No
NIS2 compliance measures	Implemented / Partial / No
DORA compliance (if financial sector)	Implemented / Partial / No
Penetration test (last 12 months)	Yes / No
Bug bounty / responsible disclosure	Active / No

Certification verification: Have you independently verified certificate validity (e.g., via IAF CertSearch for ISO 27001)? ☐ Yes ☐ No

Section 2 Summary:

Certifications verified: ___
Key compliance gaps: ___

Section 3: Data Handling

Question	Response	Notes
What data types will the vendor access or process?
Where is data stored and processed? (countries/regions)
Is data stored within the EU/EEA?	Yes / No / Partially
Does the vendor use sub-processors?	Yes / No
Sub-processor list available?	Yes / No
Notification process for sub-processor changes?	Yes / No
Data retention period defined?	Yes / No — ___ days
Secure deletion process documented?	Yes / No
Data portability/export capability?	Yes / No
Data Processing Agreement (DPA) in place?	Yes / No

Section 3 Summary:

Data residency compliant (EU): ☐ Yes ☐ No ☐ Partial
DPA signed: ☐ Yes ☐ No
Sub-processor risk: ☐ Low ☐ Medium ☐ High

Section 4: Business Continuity

Question	Response	Notes
Recovery Time Objective (RTO)		Hours
Recovery Point Objective (RPO)		Hours
Business Continuity Plan documented?	Yes / No
Disaster recovery test conducted (last 12 months)?	Yes / No
Backup frequency and geographic distribution
Uptime SLA		%
SLA breach remedy defined?	Yes / No
Exit/transition assistance process?	Yes / No
Data migration support at contract end?	Yes / No

Section 4 Summary:

RTO/RPO acceptable for criticality: ☐ Yes ☐ No
Business continuity rating: Strong / Adequate / Weak / Insufficient

Section 5: Financial and Operational Stability

(Tier 1 assessments only)

Question	Response	Notes
Company age		Years
Approximate revenue / funding stage
Cyber liability insurance in place?	Yes / No
Insurance coverage amount		EUR/USD
Key person dependencies identified?	Yes / No
Customer concentration risk		(e.g., single customer >30% of revenue?)
Relevant litigation / regulatory sanctions	None / Yes

Section 5 Summary:

Financial stability risk: ☐ Low ☐ Medium ☐ High

Section 6: Subcontractor and Supply Chain Risk

(Tier 1 assessments only)

Question	Response	Notes
Does the vendor use critical ICT sub-processors?	Yes / No
Sub-processor assessment process documented?	Yes / No
Security requirements flow down to sub-processors?	Yes / No
Critical sub-processors identifiable in event of incident?	Yes / No
Sub-processor concentration risk assessed?	Yes / No

Section 6 Summary:

Supply chain risk: ☐ Low ☐ Medium ☐ High

Risk Scoring: Calculating Residual Risk

Once all sections are complete, calculate the residual risk rating.

Step 1: Inherent Risk (from Classification above)

Low / Medium / High / Critical

Step 2: Control Effectiveness

Based on Section 1 and Section 2 findings:

Strong — ISO 27001 or SOC 2 Type II certified, clean audit, all critical controls verified
Adequate — Most controls in place, some certification, minor gaps
Weak — Basic controls only, limited evidence, significant gaps in one or more areas
Insufficient — Material control failures, no certification, unresponsive to requests

Step 3: Residual Risk Matrix

	Strong Controls	Adequate Controls	Weak Controls	Insufficient Controls
Critical inherent	High	High	Critical	Critical
High inherent	Medium	High	High	Critical
Medium inherent	Low	Medium	High	High
Low inherent	Low	Low	Medium	High

Residual risk rating: Low / Medium / High / Critical

Step 4: Required Actions

Residual Risk	Approval Required	Additional Controls	Monitoring Frequency
Low	Team Lead	None required	Annual
Medium	Security Manager	May be required	Every 6 months
High	CISO / Senior Management	Required — document controls	Quarterly
Critical	Board / Executive	Mandatory or decline vendor	Continuous

Completing the Assessment

Assessment Summary

Field	Detail
Vendor name
Assessment date
Assessor name/role
Assessment tier (1/2/3)
Inherent risk rating
Control effectiveness rating
Residual risk rating
Risk decision	☐ Approve ☐ Approve with conditions ☐ Decline
Conditions / required controls
Next review date
Approver name / role
Approver sign-off date

Documentation Checklist

Before filing the assessment, confirm you have:

☐ Completed security questionnaire (vendor-provided)
☐ ISO 27001 certificate (independently verified) or SOC 2 Type II report
☐ Data Processing Agreement signed
☐ Sub-processor list obtained
☐ Risk scoring completed and signed off
☐ Conditions / remediation actions documented
☐ Next review date set in calendar

Mapping to Regulatory Requirements

ISO 27001:2022

Control	Template Coverage
5.19 — Information security in supplier relationships	Full template — establishes what to evaluate
5.20 — Addressing information security within supplier agreements	Section 3 (DPA), Section 4 (SLA), Section 6 (flow-down)
5.21 — Managing information security in the ICT supply chain	Section 6 (sub-processors), ongoing monitoring

Auditors will look for: completed assessment records, evidence of certification verification, documented risk decisions, and periodic re-assessment dates.

NIS2 Article 21(2)(d)

NIS2 requires essential and important entities to implement supply chain security measures, including assessment of direct suppliers' security practices and vulnerabilities. Sections 1, 2, and 6 of this template directly address these requirements.

DORA Articles 28–30

DORA requires financial entities to conduct pre-contractual risk assessments of ICT third-party service providers before entering critical contracts. The full Tier 1 template (all six sections) satisfies the DORA pre-contractual assessment requirement. Sections 3 and 4 address DORA's specific requirements around data location, audit rights, and exit strategies.

Automating Vendor Risk Assessments

Manual template-based assessments work at small scale. Once you're managing dozens of vendors, the process breaks down:

Questionnaire coordination becomes a project management burden
Evidence storage becomes fragmented across email and shared drives
Periodic re-assessment dates get missed
Audit preparation requires reconstructing paper trails

What automation addresses:

Manual Pain Point	Automated Solution
Sending and chasing questionnaires	Automated distribution and reminders
Storing certificates and audit reports	Centralized evidence repository
Risk scoring consistency	Standardized scoring engine
Tracking re-assessment due dates	Automated review scheduling
Preparing audit evidence	Exportable assessment records
Monitoring between assessments	Continuous certification and posture monitoring

Enterprise VRM platforms like UpGuard Vendor Risk (from ~$1,599/month for the Starter plan), Prevalent, and OneTrust TPRM (pricing varies widely; enterprise implementations typically range from $10,000–$40,000+/year depending on vendor volume and modules) offer full automation but carry significant cost and implementation complexity. They're designed for organizations managing hundreds or thousands of vendors [2].

For European companies managing a moderate vendor portfolio — where ISO 27001 certification, NIS2 compliance, and Trust Center visibility matter — a purpose-built compliance platform delivers the core assessment and monitoring capability without the overhead.

How Orbiq Supports Vendor Risk Assessment

Orbiq's vendor assurance platform streamlines both sides of vendor risk:

Outbound (your vendors): Distribute assessments, collect questionnaire responses, store certificates and audit reports, and track risk decisions in a centralized system. Automatic reminders replace manual follow-up.
Inbound (your customers' assessments of you): Publish your security posture, certifications, and compliance evidence in a Trust Center so customers can assess your risk without sending manual questionnaires.
Continuous monitoring: Track vendor certification status changes, breach notifications, and compliance gaps between formal assessment cycles.
EU data residency: All assessment data stays within the EU — a requirement for organizations subject to GDPR, NIS2, and DORA.

Related Resources

Vendor Risk Management: The Definitive Guide — full VRM programme guide, EU regulatory requirements, and tool comparisons
Vendor Risk Assessment — what VRAs are, when to conduct them, and how to score risk
Third-Party Risk Management — building a comprehensive TPRM programme
NIS2 Supply Chain Security — NIS2's specific supply chain assessment requirements
Compliance Automation — automating evidence collection for vendor assessments

Sources & References

Bitsight. (2025). Third-Party Risk Management Report. Bitsight Technologies. https://www.bitsight.com/resources/third-party-risk-management
UpGuard. (2026). Vendor Risk Pricing. https://www.upguard.com/pricing — Prevalent TPRM pricing from vendor documentation; OneTrust enterprise pricing from analyst sources.

This template is maintained by the Orbiq team. Last updated: March 2026.