You run risk, compliance, or security at a mid-to-large organization. Vendors touch sensitive data or plug into your systems. You need a defensible way to judge their cybersecurity, privacy, and audit readiness. This guide gives you a practical checklist, the evidence to ask for, a simple scoring method, and how to document the decisions that stand up to audit.
Quick scan: 12 yes/no checks
Use these first. If three or more are “No,” dig deeper or escalate.
- Data flows are mapped and approved
- Admins use SSO and MFA, prefer phishing-resistant factors for privileged roles (FIDO2/WebAuthn, PIV/CAC)
- Data is encrypted at rest and in transit
- Keys are managed with KMS/HSM and rotated with dual control
- Secure SDLC with code review and secrets hygiene
- SBOM for every release
- SCA runs in CI with VEX or equivalent exploitability notes
- Patch SLAs by severity, with proof they’re met
- Cloud baseline set and CSPM running
- SaaS tenants hardened, access reviewed regularly
- Incident response tested in the last 12 months, breach SLAs defined
- Sub-processors listed, vetted, and covered by flow-down controls
How to put this guide to work
- Set scope: what data, which systems, where it flows, and how critical it is
- Ask for evidence: use the list below and set deadlines/owners
- Score simply: 0 – 3 per control, then apply weights for sensitivity and integration depth
- Track gaps: assign owners and dates, agree mitigations
- Decide & document: accept, accept with conditions, or reject
- Keep watch: monitor on a cadence based on vendor tier
Download the full checklist (scorecard)
Use this to record controls, scores, weights, owners, and due dates.
What to ask vendors for (copy into your RFI)
- Data mapping: data flow diagram, systems list, purpose, residency, retention
- Privacy: DPA, SCCs/TIAs (if applicable), sub-processor register with locations
- Access: access policy, IdP config, MFA/SSO enforcement, last access review
- SDLC: policy with security gates, PR templates, secrets policy
- Testing: SAST, DAST, SCA reports, pen test summary, examples of closed fixes
- SBOM/VEX: SBOM per release tied to tags, VEX for material CVEs
- Cloud: baseline hardening doc, CSPM export, exception list with owners
- SaaS: tenant hardening guide, audit log retention, quarterly access reviews
- IR: IR plan, tabletop minutes (≤12 months), breach notification SLA text
When to hit pause or escalate
- No MFA for admin accounts
- No IR test in the past year
- No encryption at rest, or weak ciphers in use
- No SBOM/SCA pipeline, or no patch SLAs
- No CSPM across multi-account cloud estates
- No DPA, unclear transfers, or hidden sub-processors
Vendor tiers at a glance
| Tier |
When it applies |
Examples |
Review cadence |
| High | Critical service, sensitive data, deep integration |
Core SaaS, payments, EHR, core APIs |
Quarterly + on major changes |
| Medium | Important process, moderate data |
HR platforms, analytics, regional apps |
Twice per year |
| Low |
Limited data, low impact |
Utilities, non-critical SaaS |
Annual |
Make the call (fast and defensible)
- Score & weight: 0–3 per control, multiply by weights, total it
- Plan fixes: define compensating controls, owners, due dates
- Decide: accept, time-boxed conditional approval, or reject
- Lock it in contract: security schedule, audit/test rights, breach SLA, sub-processor flow-downs, data return/deletion
Your first 30 days with a new vendor
- Week 1: Set scope and tier, finalize the evidence list and timelines
- Week 2: Send the checklist/RFI, hold a kickoff, confirm owners
- Week 3: Review evidence, score controls, log gaps, agree remediation
One-page summary for leadership
- Vendor and tier
- Overall weighted score
- Top three risks
- Mitigations with owners and dates
- Decision: Accept / Conditional / Reject
- Next review date
Need expert support?
Under time pressure or tight audits, our Digital Risk Due Diligence team can validate evidence, confirm findings, and align remediation with Legal and Procurement. You stay in control; we deliver audit-ready docs and a process you can defend.