A comprehensive, practitioner-built framework for evaluating third-party and supplier security posture. ISO 27001 and SOC 2 aligned. Used by compliance teams to satisfy Annex A third-party requirements.
โ
150+ questions across 10 risk domains
โ
Automated risk scoring matrix
โ
Risk tier classification (Critical / High / Medium / Low)
Secure checkout via Gumroad ยท Instant download after payment
What's included
Everything you need for vendor risk management.
Built by security practitioners for compliance teams โ not a generic checklist, but a structured framework used in real advisory engagements.
๐
Risk Scoring Matrix
Automated scoring calculates an overall vendor risk rating based on responses. Vendors are classified as Critical, High, Medium, or Low risk โ no manual calculation required.
๐
150+ Assessment Questions
Comprehensive questions covering information security, data protection, business continuity, access management, incident response, and compliance obligations.
๐
Vendor Dashboard
A summary dashboard showing each vendor's risk score, tier classification, assessment date, and open findings โ giving management a clear view of third-party risk posture.
๐
Risk Register Export
Automatically populated risk register from assessment findings โ ready to include in your ISO 27001 ISMS documentation or board reporting pack.
โ๏ธ
Fully Editable
Every question, scoring weight, and risk threshold is editable. Customise the template to match your organisation's risk appetite and supplier categories.
๐
Lifetime Updates
As we update the template to reflect new regulatory requirements or framework changes, you receive the updated version at no additional cost.
Assessment domains
10 risk domains. 150+ questions.
Every domain is weighted by risk level. Critical and high-risk domains carry greater weight in the overall vendor risk score.
01
Information Security Governance
Security policies, ISMS, certifications (ISO 27001, SOC 2), executive accountability for security
15 questions
02
Access Control and Identity Management
User access provisioning, MFA, privileged access, access reviews, offboarding procedures
18 questions
03
Data Protection and Privacy
Data handling practices, encryption, NDPA/GDPR/PIPEDA compliance, data processing agreements
Regulatory compliance, audit rights, right to audit clauses, certifications and attestations
12 questions
โ
ISO 27001 Annex A 5.19โ5.22 Compliance
Use the template to satisfy information security in supplier relationships requirements and generate evidence for your certification audit.
โ
SOC 2 Vendor Management
Document third-party risk assessments to satisfy SOC 2 Trust Services Criteria requirements for vendor management controls.
โ
NDPA Third-Party Processor Assessment
Assess data processors handling Nigerian personal data in compliance with NDPA 2023 third-party obligations.
โ
Annual Vendor Review Programme
Use as the basis for an annual vendor security review programme โ send to suppliers, collect responses, and track risk over time.
โ
New Vendor Onboarding
Incorporate into your procurement process to assess new vendors before signing contracts or sharing data.
Who is this for
Built for compliance and procurement teams.
๐ฆ
Financial services and fintech
Satisfy CBN, OSFI, and PRA third-party risk requirements with a structured, documented assessment framework.
๐ป
SaaS and technology companies
Meet SOC 2 and ISO 27001 vendor management requirements with a template that generates audit-ready evidence.
๐ฅ
Healthcare organisations
Assess vendors handling health data against NDPA, GDPR, and HIPAA third-party obligations.
๐
Security and compliance teams
A practitioner-built framework you can deploy immediately โ no need to build from scratch.
Ready to strengthen your third-party risk programme?
Purchase the Vendor Risk Assessment Template and deploy it immediately โ or book a discovery call if you need advisory support building a full vendor risk management programme.