Vendor Risk Assessment processes form the core of a Vendor Risk Management program. As such, the efficiency of a VRM program is ultimately dependent on the design of its risk assessment processes. This post guides you through the design of an efficient vendor risk assessment framework in six steps. By implementing this framework, you can establish an efficient risk assessment workflow built upon a scalable process foundation.
Learn how UpGuard streamlines vendor risk assessments >
Step 1: Define your Vendor Risk Management lifecycle
Defining your Vendor Risk Management (VRM) lifecycle first will set the scope for the structure of your risk assessment framework. At a high level, a VRM program lifecycle is based on a three-stage vendor lifecycle - Onboarding, Risk Management, and Offboarding.
With such a structure, a vendor risk assessment framework stretches across the final two stages - Risk Management and Offboarding.
The majority of risk assessment processes support the Risk Management phase, where continuous risk monitoring and assessment tasks are carried out to a degree that's proportional to the criticality rating of each onboarded vendor.
The final portion of the third-party risk assessment framework feeds into the vendor offboarding phase, where final assessments and audits are carried out to ensure offboarded vendors lose all of their access to your internal environment.
To aid understanding of how a risk assessment framework supports each of these phases, the processes in each stage mapping to risk assessment tasks are outlined below.
Vendor Onboarding
Ensures minimal security posture impact as vendors progress from selection to final onboarding.
Some processes commonly involved in the onboarding phase include:
- Service provider Identification
- Vendor Due Diligence
- Evaluation of the severity of potential risks of new vendors, which could also include metrics such as ESG risks, reputational risks, operational risks, compliance risks, and financial risks - in addition to information security and security breach risks.
- Grouping vendors based on their levels of risk, also referred to as “vendor tiering,” across low-risk and high-risk levels.
Ongoing Risk Management
Ongoing monitoring of vendor performance to ensure their cybersecurity risks remain within defined risk tolerance levels - as calculated through your Third-Party Risk Management (TPRM) risk appetite.
Some processes commonly involved in the risk management phase include:
- Real-time vendor risk profile monitoring for emerging vulnerabilities.
- Evaluating the potential impact of discovered security risks
- Continuous monitoring for compliance requirement gaps - such as PCI DSS and HIPAA - and misalignment with cyber frameworks, such as NIST CSF and ISO 27001.
- Ongoing monitoring of onboarded third-party vendors for emerging risks impacting your third-party risk appetite
- Risk management processes supporting the entire risk management workflow, from risk discovery to remediation and mitigation.
- Ongoing stakeholder reporting to represent the VRM program’s impact on the company risk management strategy.
- Security questionnaires for evaluating security controls and vendor regulatory compliance efforts
- Fourth-Party Risk Management for preventing supply chain cyber attack threats extending beyond third-party relationships.
Vendor Offboarding
Ensuring vendors safely exit your partnership pipeline without any residual access to your sensitive data.
Some processes commonly involved in the offboarding phase include:
- Attack surface scanning to discover overlooked connections to discontinuing business operations.
- Collaboration with compliance teams to ensure vendor relationships are safely terminated without violating data protection regulatory requirements, such as the GDPR.
- Ensuring data privacy and data security policies are followed when revoking business relationships.
Refer to this example of a vendor risk assessment to understand how it's structured and the vendor risk data it depends on.
Step 2: Define a method for evaluating vendor security prior to onboarding
Though your final VRM lifecycle design depends on the third-party risk management goals specified by your stakeholders, it’s highly recommended to include a Vendor Due Diligence workflow within the onboarding phase.
Vendor Due Diligence ensures prospective vendors are sufficiently scrutinized for dangerous third-party risks that could lead to regulatory fines or data breaches shortly after onboarding - a common cybersecurity oversight likely responsible for most data breach events.
Commonly referred to as “Evidence Gathering,” due diligence for potential vendors involves collecting cybersecurity performance evidence from multiple sources to create a preliminary evaluation of their security posture.
These sources could include:
- Cybersecurity Certifications
- Completed security questionnaire
- Trust and security pages
- Non-invasive external attack surface scans.
Mapping to these different data sources without a streamline strategy could quickly result in convoluted workflows impacting the efficiency of your final risk assessment framework. To prevent this, aim to compress your data collection network, ideally by consolidating all pathways into a single security performance data exchange platform, such as Trust Exchange by UpGuard.
Watch this video for an overview of Trust Exchange.
Sign up for Trust Exchange for free >
Once collected, security performance data for potential vendors should be fed through a mechanism for determining the severity of different types of vendor risks. While these calculations could be done manually by constructing a vendor risk matrix, for maximum efficiency, potential vendor security risks should be evaluated with security rating technology - an implementation that will concurrently support the processes in stage four of this framework.
Establishing a sequence between Evidence-Gathering and potential risk evaluation will also establish a means of determining which onboarded vendors will require full-risk assessments throughout their relationship lifecycle.
Step 3: List all applicable regulatory standards you need to adhere to
Alignment with regulatory standards is non-negotiable, so your risk assessment framework should foundationally map to the regulations relevant to your business operations.
If you’re a service provider outsourcing digital processes, consider the impact your security risks could have on the regulatory compliance requirements of your business partners. You may need to account for these regulations in your compliance program.
You may need to adjust your security controls to minimize disruption to the compliance efforts of your business partners.
Below is a list of popular regulations, including a third-party risk management component. Each item is accompanied by a link to an UpGuard post outlining how to meet the regulation’s TPRM requirements.
- PCI DSS - Meeting the third-party risk requirements of PCI DSS
- Digital Operations Resilience Act (DORA) - Meeting the third-party risk requirements of DORA.
- California Consumer Privacy Act (CCPA) - Meeting the third-party risk requirements of the CCPA
- The NY SHIELD Act - Meeting the third-party risk requirements of the NY SHIELD Act
- The Health Insurance Portability and Accountability Act (HIPPA) - Meeting the third-party risk requirements of the HIPAA healthcare regulation.
- NIST 800-53 - Meeting the third-party risk requirements of NIST 800-53
Step 4: Establish a vendor risk calculation methodology
A vendor risk calculation methodology determines a third-party vendor's overall level of risk based on their completed risk assessment. There are two main approaches to third-party risk calculation: qualitative and quantitative.
Qualitative approach to vendor risk calculation
Qualitative vendor risk analysis uses a subjective framework for quickly representing vendor risk severity. This model could either represent third-party risk severity on a number scale (the higher the number, the higher the potential risk associated with the vendor) or graphically in a vendor risk matrix.
Here’s an example of a vendor risk matrix where vendors are distributed across a risk severity spectrum ranging from green (low risk) to red (high risk). Risk matrices could also indicate the business’s risk appetite and risk threshold, serving as an aid for securing the vendor onboarding workflow and a helpful resource for cybersecurity reports and dashboards.
The qualitative method has the benefit of representing third-party risk exposure in a manner that’s generally easily understood by all parties, even those with limited cybersecurity knowledge - the usual context of stakeholder meetings. However, using this technique alone could produce a subjective representation of an organization’s vendor risk profile.
Quantitative approach to vendor risk calculation
Quantitative vendor risk analysis involves mathematical processes to produce an objective numerical calculation of a vendor’s overall risk exposure (or security posture). The final result of a quantitative analysis is usually represented as a security rating, ranging from 0 to a maximum value of 950.
A vendor's security rating is calculated by quantifying the total value of their security risks and subtracting that from a maximum rating of 950.
Which vendor risk analysis method should you choose?
To create a vendor risk assessment framework supporting a risk assessment program benefiting all involved parties, the simplicity and visual appeal of the qualitative method should be combined with the objectivity of the quantitative approach. This combination produces the most impactful Vendor Risk Management results on the UpGuard platform, as attested by many independent positive reviews on Gartner.
As an example of how these different risk representation styles could complement each other, here’s a third-party risk overview representing a business’s vendor distribution across a three-tiered criticality matrix, where risk severity is determined by security ratings.
Step 5: Choose an appropriate vendor risk assessment framework
Onboarded vendors flagged as "critical" through the risk calculation methodology in the previous step (which, at the very least, always includes vendors processing sensitive internal data) will need to undergo regular full risk assessments. A full risk assessment is one involving secuirty questionnaires in addition to automated scanning methods.
Vendor security questionnaires come in different themes, each mapping to a specific cybersecurity framework or regulation. Your primary choice of questionnaire depends on the security framework your organization has chosen to align with, such as NIST CSF version 2, SOC 2, or ISO 27001.
Assessing critical vendors against the standards of your cybersecurity framework will indicate areas of misalignment that could become attack vectors facilitating a data breach.
Related: How to Prevent Data Breaches in 2024
Besides tracking each vendor’s impact on your organization’s cyber framework, you should also assess for compliance gaps against any regulations impacted by a vendor relationship. This may require your vendor risk assessment framework to be adjusted for each vendor’s unique assessment requirements, meaning each vendor may require a unique set of questionnaires for their risk assessment.
See the example below of a vendor risk assessment consisting of two different security questionnaire.
Learn about UpGuard's Vendor Risk Assessment Product Features >
Any regulation questionnaires required for each vendor should be determined in step 3 of this process.
To give you an idea of the different questionnaire types that could comprise a vendor risk assessment framework, here’s a list of popular themes, all available on the UpGuard platform.
- SIG Lite Questionnaire
- ISO 27001 Questionnaire
- CyberRisk Questionnaire
- Higher Education Community Vendor Assessment Tool (HECVAT) Questionnaire
- Health Insurance Portability and Accountability Act (HIPAA) Questionnaire
- Short Form Questionnaire
- SolarWinds Questionnaire
- NIST Cybersecurity Framework Questionnaire
- Apache Log4J - Critical Vulnerability Questionnaire
- Kaseya Questionnaire
- Security and Privacy Program Questionnaire
- Web Application Security Questionnaire
- PCI DSS Questionnaire
- Modern Slavery Questionnaire
- Pandemic Questionnaire
- Infrastructure Security Questionnaire
- Essential Eight Questionnaire
- Physical and Data Centre Security Questionnaire
- California Consumer Privacy Act (CCPA) Questionnaire
- COBIT 5 Security Standard Questionnaire
- ISA 62443-2-1:2009 Security Standard Questionnaire
- ISA 62443-3-3:2013 Security Standard Questionnaire
- GDPR Security Standard Questionnaire
- CIS Controls 7.1 Security Standard Questionnaire
- NIST SP 800-53 Rev. 4 Security Standard Questionnaire
- Post Breach Questionnaire
Step 6: Establish notification workflow
Delayed vendor risk assessment is one of the leading causes of inefficient Vendor Risk Management programs. Beyond being notified when a risk assessment has been completed, notification triggers should be implemented in remediation workflows through project management integrations like Jira and Zapier. Keeping security teams aware of every new remediation task will ensure discovered risk exposures get addressed faster, ultimately resulting in faster risk assessment completion times.
To further capitalize on the workflow efficiency improvements of a notification strategy, consider also implementing a means of streamlining vendor collaboration during questionnaire completions, a solution that isn't dependent on emails.
For ideas about implementing a more streamlined vendor collaboration workflow into your risk assessment framework, watch this video to learn how UpGuard solves this problem.
Consider implementing vendor risk assessment software
To expedite the implementation of your vendor risk assessment framework, consider implementing vendor risk assessment software. Trust Exchange is a free security questionnaire tool streamlining many of the complex processes typically involved in vendor risk assessments, including:
- Security Questionnaire Completions - By leveraging AI technology and referencing a database of previously completed questionnaires, Trust Exchange completes repetitive questionnaires almost instantly.
- Security Questionnaire Management - A centralized hub for storing all questionnaires to simplify referencing and streamline collaboration between multiple parties.
- Shared Profile - A sharable overview of your cybersecurity posture that builds your security reputation and expedites onboarding with new business partners.
