Vendor Risk Management Checklist

By CyberGRX

Download Now


There are many ways to slice and dice your vendor risk management program – an increasingly important practice in today’s world of complex ecosystems and imperative data protection. The following is what our solution engineer would advise if starting from scratch.

Vendor Classification

The vendor class will tell you a lot about how to manage your relationship, specifically how much scrutiny to apply during the pre-contract due-diligence assessment.

  1. Vendor Risk Tiering
    Classify the exposure created by your vendors by assessing the likelihood and impact of a cyber event.

Begin The Assessment

After classifying vendors, you will know what the scope of the assessment should be.

  1. Determine Assessment Scope & Necessary Questions
    Each vendor tier will have a corresponding assessment scope – high-risk vendors should be assessed via questionnaire and a corresponding on-site evaluation, while lower-risk vendors can be assessed with a lower level of rigor such as a questionnaire and desktop document validation.
  2. Self-Assessment
    Regardless of tier classification, each vendor should complete a self-assessment questionnaire. The questionnaire should only include relevant questions that show what level of risk a vendor will expose you to. Include well-documented expectations and guidelines, as well as a deadline.
  3. Validate Vendor Assertions
    Examine evidence provided by your vendor that prove their controls are operating effectively, such as policies, procedures, audit results, etc.
  4. Ongoing Monitoring
    Continue to update your data as there are changes in your relationship with your vendor.

Issue Management

A well-designed questionnaire should have a corresponding analysis component. Scoring a questionnaire can be difficult, but it’s important to know dynamic issue status as it evolves – which is why we suggest issue-based scoring.

  1. Create a Matrix
    Relate your questions to negative answers, to issue severity and mitigation strategies.
  2. Track Issues
    Know the dynamic status of each issue at all times – this way, no exposure will go unaddressed.
  3. Address Findings
    Hold your vendors accountable for helping you close the issues that must be addressed. When you define your program policies, plan for how you deal with issues given its severity in a repeatable fashion. This will ensure consistency in your approach.

Building a strong VRM program is essential to the security of your business and its data. Each component will require constant fine-tuning, especially while your program evolves in maturity and sophistication. If you’re looking for an innovative, dynamic approach, schedule a demo or read our Vendor Risk Management Guide to learn more.

Download Now

Vendor Risk Management Guide: The 3 Fundamentals

Get VRM Guide

Join The CyberGRX Exchange

Whether you are an enterprise or a vendor, the CyberGRX Exchange will act as a force multiplier for your third-party risk management program. The efficient and shared cost model of the exchange helps organizations identify and prioritize risk, in the most cost-effective way.

Request a Demo



Join 5,000+ risk professionals who subscribe to the CyberGRX Newsletter