🤝Interactive Checklist

Third-Party Risk Management Checklist

Assess and monitor vendor security and compliance risks.

20 items0%

Critical items (marked ★) carry higher weight. Focus on Vendor Inventory and Contractual Controls first — these are foundational to managing third-party risk effectively.

LinkedIn·X·Facebook

Vendor Inventory & Classification

Know who your vendors are and how critical they are to operations.

0/5

A complete inventory of all third-party vendors, contractors, and SaaS providers is maintained and current.★ Critical

1.1

Each vendor is classified by criticality tier (e.g., Tier 1 critical, Tier 2 important, Tier 3 low risk) based on data access and business impact.★ Critical

1.2

Data flows to and from each vendor are documented, including data types, volumes, and storage locations.

1.3

Fourth-party (sub-processor) dependencies are identified for Tier 1 vendors.

1.4

A vendor owner is assigned for each Tier 1 and Tier 2 vendor with accountability for ongoing risk management.

1.5

Due Diligence & Assessment

Assess vendor risk before onboarding and at regular intervals.

0/5

A standardised security assessment questionnaire is used for all new Tier 1 and Tier 2 vendors.

2.1

Vendors handling sensitive data provide evidence of relevant certifications (SOC 2, ISO 27001, etc.).★ Critical

2.2

Financial viability of critical vendors is assessed to mitigate concentration and continuity risk.

2.3

Vendor incident history and breach disclosures are reviewed as part of due diligence.

2.4

Assessment frequency is risk-tiered: Tier 1 annually, Tier 2 every 18–24 months, Tier 3 at renewal.

2.5

Contractual Controls

Ensure contracts enforce security, compliance, and exit requirements.

0/5

Contracts with Tier 1 vendors include security requirements, breach notification SLAs, and right-to-audit clauses.★ Critical

3.1

Data processing agreements (DPAs) are in place for all vendors processing personal data.

3.2

Exit and transition clauses are defined, including data return/destruction and transition support.

3.3

Liability, indemnification, and cyber insurance requirements are defined for critical vendors.

3.4

SLAs include measurable uptime, performance, and security metrics with consequences for non-compliance.

3.5

Ongoing Monitoring

Continuously monitor vendor risk posture between formal assessments.

0/5

Continuous monitoring tools (e.g., security ratings services) are used for Tier 1 vendors.

4.1

Vendor security incidents and breaches trigger a reassessment process.★ Critical

4.2

Third-party risk metrics (e.g., % of vendors assessed, overdue assessments, open findings) are reported to leadership.

4.3

Vendor offboarding includes access revocation, data return/destruction confirmation, and certificate of deletion.

4.4

Business continuity plans account for the failure or compromise of each Tier 1 vendor.

4.5