Skip to main content
IT KORR
IT KORRKeeping Organizations Reliable & Resilient
Knowledge Center

Third-Party Vendor Risk Management

Why vendor risk is required by nearly every major compliance framework, and a practical program structure for inventorying, tiering, and monitoring vendor risk on an ongoing basis.

6 min read

Nearly every major compliance framework requires an organization to manage the risk introduced by its vendors — and nearly every organization manages it less rigorously than any other control category. Vendors quietly accumulate access to systems and data over years of onboarding, with due diligence performed once, if at all, and rarely revisited. This article covers why vendor risk is such a consistently under-managed requirement, and lays out a practical program structure: inventory, tiering, proportionate due diligence, contract terms, and ongoing monitoring.

Why vendor risk is required everywhere but managed poorly

Vendor (or third-party) risk appears as a named control category in essentially every framework an organization is likely to encounter, each with its own framing:

How major frameworks require vendor risk management
FrameworkVendor risk requirement
SOC 2Vendor and subprocessor management is evaluated as part of the Security criterion, including how the organization assesses and monitors vendors with access to in-scope systems
HIPAABusiness Associate Agreements (BAAs) are required with any vendor that creates, receives, maintains, or transmits protected health information on the organization's behalf
PCI DSSService providers handling cardholder data must meet specific requirements, and the organization remains responsible for validating that its providers do
ISO 27001Supplier relationships are an explicit control domain (Annex A), covering security requirements in supplier agreements and ongoing monitoring
NIST 800-171Flow-down requirements obligate an organization to ensure subcontractors handling covered information meet equivalent security requirements

Despite this near-universal requirement, vendor risk is consistently one of the weakest-managed control categories in practice. The reasons are structural: vendor relationships accumulate gradually, often started by a business unit without security or compliance involved at all; due diligence, if performed, tends to happen once at onboarding and is rarely revisited; and there is usually no single person accountable for the full vendor population, only fragmented ownership across whichever team originally brought each vendor on board.

Vendor risk is inherited, not contained

A vendor's security failure becomes the organization's incident, regardless of whose infrastructure the failure originated on — customers, regulators, and insurers generally don't distinguish between a breach caused directly and one introduced through a vendor with excessive access and no oversight.

A practical vendor risk program structure

1

Inventory Vendors

Catalog every third party with system or data access

2

Tier by Risk

Rank vendors by data sensitivity and access level

3

Due Diligence

Security questionnaire, SOC 2 / certification review

4

Contract Terms

Data protection and breach notification clauses

5

Ongoing Monitoring

Periodic reassessment across the relationship lifecycle

Vendor risk isn't a one-time questionnaire — tiering by risk up front determines how much due diligence and ongoing monitoring each relationship actually needs.

Inventory every vendor with data or system access

The starting point is a complete list — not just the vendors that come to mind, but every vendor with access to organizational data or systems, including smaller tools brought in outside a formal procurement process. An inventory that only covers vendors someone remembers to add is not a real inventory; it needs an owner responsible for keeping it current as new vendors are onboarded.

Tier vendors by risk

Not every vendor warrants the same scrutiny, and treating them identically wastes effort on low-risk vendors while under-scrutinizing high-risk ones. Tiering should be based on two factors: the sensitivity of the data the vendor can access, and the depth of system access it holds.

Example vendor risk tiering
TierExampleTypical scrutiny
HighPayroll processor, EHR vendor, IT managed service provider with admin accessFull security questionnaire, contract review, annual reassessment, evidence of the vendor's own compliance posture
MediumMarketing platform with customer contact data, HR softwareStandard questionnaire, contract terms review, periodic reassessment
LowStock-photo subscription, single-purpose SaaS tool with no sensitive data accessLightweight review at onboarding, no ongoing deep-dive required

Apply proportionate due diligence

Due diligence effort should scale with the tier — a payroll processor handling employee financial and personal data needs deep scrutiny (security certifications, breach history, subprocessor list, contract terms), while a stock-photo subscription with no data access needs essentially none. Applying the same heavyweight questionnaire to every vendor regardless of risk both slows down low-risk onboarding unnecessarily and, paradoxically, tends to reduce the actual rigor applied to high-risk vendors, since reviewers burn out on volume rather than focusing where it matters.

Require specific contract terms

Due diligence at onboarding only establishes a point-in-time picture; the contract is what defines the organization's ongoing rights and the vendor's ongoing obligations. Key terms to require, proportionate to the vendor's tier:

  • Data protection obligations specifying how the vendor secures and uses the organization's data.
  • Breach notification timelines — a specific, contractually binding window (commonly 24-72 hours) for the vendor to notify the organization of any security incident affecting its data, not just "prompt" or "reasonable" notification.
  • Right-to-audit provisions allowing the organization (or its assessor) to review the vendor's security posture, particularly for high-tier vendors.

Monitor on an ongoing basis

Vendor risk isn't static — a vendor's security posture, subprocessor relationships, and financial stability can all change after onboarding, and a vendor that was low-risk at signing can become higher-risk over time as its access expands or its own security posture degrades. Ongoing monitoring, proportionate to tier, might include an annual reassessment questionnaire for high-tier vendors, monitoring for public breach disclosures, and a defined trigger (contract renewal, access expansion, or a reported incident) for revisiting the risk tier itself.

Common mistakes

  • Only conducting due diligence at initial vendor onboarding with no ongoing reassessment. A vendor's risk profile at signing doesn't hold indefinitely; without periodic reassessment, the organization is relying on a picture that may be years out of date.
  • Treating every vendor with the same level of scrutiny regardless of risk tier. This either overloads the review process for low-risk vendors or, more dangerously, under-scrutinizes high-risk ones because reviewers are stretched thin across too many low-value reviews.
  • Letting business units onboard vendors outside the formal review process. A vendor brought in directly by a department, without compliance or IT visibility, is effectively invisible to the vendor risk program until an incident or audit surfaces it.
  • Signing vendor contracts without specific breach notification and data protection terms. Generic or missing language here leaves the organization with no contractual recourse or visibility if the vendor has an incident.

FAQ

How many vendors should realistically need the deepest level of scrutiny? Typically a small fraction of the full vendor population — the vendors with access to the most sensitive data or the deepest system access. Tiering exists specifically to concentrate effort on that smaller set rather than spreading it evenly across every vendor relationship.

What's the fastest way to build an initial vendor inventory if one doesn't exist today? Cross-reference accounts payable records, active integrations and API connections, and single sign-on application lists — between those three sources, most active vendors with meaningful access surface quickly, even without a formal procurement history to draw from.

Does a small business really need a formal vendor risk program? The formality can scale down, but the underlying discipline — knowing which vendors have access to what, and revisiting that periodically — matters regardless of size, since a single high-risk vendor relationship can expose a small business just as significantly as a large one, often more so given fewer compensating controls.

Operational Support

Need help implementing these findings?

IT KORR can coordinate DNS configuration, email authentication setup, and Microsoft 365 governance alignment. We work with your current providers — no migration required.

No commitment required — we respond within one business day.

Build: add8299 | Built: Jul 9, 2026 9:26 PM EDT