VND-001 Vendor Risk Assessment and Due Diligence
Description
A documented risk assessment is conducted for all third-party vendors, suppliers and service providers before engagement and periodically thereafter. The assessment evaluates security posture, privacy practices, regulatory compliance, financial stability and operational resilience. Findings are documented and inform the decision to engage or continue the relationship.
Rationale
Vendors with access to systems or data extend the organisation's attack surface. Formal due diligence creates a defensible record of proportionate risk management and is required for both GDPR processor selection and supply chain integrity.
Framework Mappings (8)
| STA-01 | Supply Chain Risk Management Policies and Procedures | partial |
| STA-10 | Supply Chain Risk Management | full |
| STA-16 | Supply Chain Data Security Assessment | full |
| GDPR-Art.28.1 | Processor Selection Due Diligence | full |
| 5.19 | Information security in supplier relationships | full |
| SR-6 | Supplier Assessments and Reviews | full |
| GOVERN 6.1 | Third-Party AI Risk Policies | partial |
| CC9.2 | Vendor and Business Partner Risk Management | full |
Evidence (2)
Completed vendor risk assessment reports for all in-scope third-party vendors, documenting security posture, privacy practices, and engagement decision.
Example: Vendor Risk Assessment reports (SecurityScorecard / internal questionnaire) for top-tier vendors — each covering: security posture score, privacy compliance assessment (GDPR DPA status), regulatory certifications (SOC 2 / ISO 27001), data handling practices, incident history, and risk-based engagement decision with DPO and CISO sign-off
Test: Request completed risk assessment reports for a sample of 5 critical vendors. Verify: (1) a risk assessment was completed before the vendor was engaged, (2) each assessment covers security, privacy, regulatory, and operational dimensions, (3) findings are documented with a risk rating, (4) decision to engage (or not) is signed off by an appropriate authority, (5) critical vendors have been reassessed within the last 12 months.
Current third-party security certifications (SOC 2 Type II, ISO 27001) obtained from key vendors as evidence of their security posture during due diligence.
Example: SOC 2 Type II reports or ISO 27001 certificates for critical vendors (e.g. cloud provider, CRM, payment processor) — filed in the vendor management system with issuance dates confirming they were current at the time of the due diligence review
Test: Request vendor certification files for the 5 most critical vendors. Verify: (1) each critical vendor has provided a current SOC 2 Type II or ISO 27001 certificate (issued within 12 months), (2) the SOC 2 bridge letter is available where the report is more than 9 months old, (3) certificates are filed in the vendor management system with the associated vendor record.
Questions (2)
Does your organisation conduct a documented risk assessment of all third-party vendors before engagement, covering security posture, privacy practices, and regulatory compliance?
The assessment should be completed before the vendor is engaged and produce a documented risk rating and engagement decision signed off by an appropriate authority (e.g. CISO, DPO). Critical vendors should be reassessed at least annually.
What does the vendor risk assessment cover?
A comprehensive pre-engagement assessment should cover at minimum: security posture, privacy compliance, certifications and incident history. Financial and operational resilience assessment is important for critical suppliers.