Vendor Risk Assessment Template
A template for assessing security, compliance, and operational risks posed by third-party vendors and service providers.
Why Vendor Risk Assessment Matters
Your vendors have access to your data — whether through cloud services, support access, or data processing. A vendor data breach becomes your data breach. For Indian SMEs, vendor risk assessment is required by DPDP Act 2023 (Section 8 — Data Processor obligations) and ISO 27001 (Clause A.15 — Supplier Relationships).
Vendor Risk Factors
- Data Access Level: Does the vendor store, process, or transmit your data? What type of data — public, internal, confidential, or restricted?
- System Integration: Does the vendor's system integrate directly with your internal systems via API, SSO, or data sync?
- Compliance Requirements: Is the vendor subject to the same regulations as you (DPDP, GST, IT Act)?
- Financial Stability: Could the vendor going out of business disrupt your operations?
- Geographic Location: Is data stored in India or overseas? Cross-border data transfers have additional DPDP requirements.
Assessment Categories & Scoring
| Category | Weight | What to Evaluate |
|---|---|---|
| Security Practices | 30% | Encryption (at rest and in transit), access controls, incident response capability, security certifications (ISO 27001, SOC 2). |
| Data Privacy Compliance | 25% | DPDP Act compliance, data retention/deletion policy, data breach notification commitment, data processing agreement (DPA) in place. |
| Business Continuity | 20% | Vendor's own BCP/DR plan, uptime SLA, redundancy and failover capabilities, financial stability indicators. |
| Operational Track Record | 15% | Years in business, client references, history of security incidents, support quality and response time. |
| Contractual & Legal | 10% | NDA signed, SLA with penalties, termination clauses, data ownership and portability, jurisdiction for dispute resolution. |
Assessment Frequency
High-risk vendors (access to restricted data or critical systems): assess annually and after any significant change in their services. Medium-risk vendors: assess every 2 years. Low-risk vendors: assess at onboarding and every 3 years thereafter.
Remediation & Acceptance
If a vendor does not meet your risk threshold, you have three options: request remediation (vendor fixes the gap within an agreed timeline), accept the risk (with signed acceptance from management acknowledging the exposure), or replace the vendor (initiate transition to a lower-risk alternative). Document the decision with rationale and sign-off.
Put this into practice with workro desk.