How to Perform a Third-Party Risk Assessment: A Step-by-Step Guide

A third-party risk assessment is a key part of a Third-Party Risk Management (TPRM) program. It’s a thorough process for evaluating potential risks that an outside vendor or external party could pose to your organization. 

This comprehensive examination encompasses various risk categories, including operational, compliance, financial, reputational, and geographic risks.

A common tool used in this process is a security questionnaire. These questionnaires help create a gap analysis between the vendor’s security practices and the cybersecurity standards or regulatory requirements they need to meet. However, a third-party risk assessment is a much broader process that uses multiple data sources to build a complete picture of a vendor’s risk profile.

This post offers a detailed, six-step guide for conducting third-party risk assessments in cybersecurity.

‍

Why Are Third-Party Risk Assessments Essential?

Simply put, third-party risk assessments are a non-negotiable part of modern business because they protect your organization from external threats that can lead to significant harm. 

In an era where most companies rely on a web of external vendors—from cloud providers and payment processors to marketing platforms—a vulnerability in one of those partners can quickly become your own.

Here's why these assessments are so critical:

• Cybersecurity defense: Third-party risk assessments act as a proactive defense against cyberattacks. By scrutinizing a vendor’s security posture, you can identify and mitigate risks before a hacker can exploit them. This protects you from potentially devastating events, such as data breaches, which can result in significant financial losses and legal action.
• Regulatory compliance: Most modern data protection and privacy regulations, such as GDPR, HIPAA, and CCPA, hold organizations accountable not only for their own security but also for the security of their vendors. Failing to properly vet a third party can result in steep fines and legal penalties.
• Business continuity and reputation: When a key vendor experiences an outage or a security incident, your business operations can grind to a halt. By assessing the operational and financial health of your vendors, you can ensure they can reliably deliver on their services, preventing costly disruptions and protecting your reputation with customers and partners.

‍

Where does a third-party risk assessment fit in the TPRM lifecycle?

Third-party risk assessments identify potential security risks posed by third-party vendors and external parties. This critical requirement continues throughout the entire TPRM lifecycle, with varying applicability across its three primary stages:

1. Vendor Onboarding: A high-level third-party risk assessment is conducted during the onboarding stage, with the primary objective of determining whether a new vendor’s risk profile aligns with the company’s defined third-party risk appetite.‍
2. Ongoing Monitoring: Once onboarded, third-party vendors undergo periodic vendor risk assessments to track regulatory compliance efforts and ensure new risks are promptly detected and managed throughout each vendor lifecycle. Critical vendors, those processing highly sensitive internal data, undergo the most detailed degree of vendor assessments during the ongoing monitoring phase.‍
3. Offboarding: Third-party risk assessments uncover residual supplier risks of terminating vendor relationships. They are also helpful for finding new cyber risks when renewing 

Learn how UpGuard streamlines vendor risk assessments >

Critical third-party vendors must be prioritized in risk assessment programs since their potential cybersecurity risks are more likely to be exploited in cyber attacks.

Full risk assessment vs. partial risk assessment

The scope of a third-party risk assessment depends on the level of criticality of the third-party vendor being investigated. For example, third parties requiring access to sensitive data or those integral to supporting your promised service levels to clients must undergo a higher degree of attack vector investigation.

Such third-party vendors (classified as “Critical” or “High-Risk” in a Vendor Risk Management program) require a full risk assessment, one involving security questionnaires mapping to applicable cybersecurity standards.

For all remaining third-party vendors not requiring access to sensitive regions of your IT ecosystem - those classified as “low-risk” - ongoing monitoring of automated attack surface scanning results will likely be a sufficient form of a risk assessment, also known as a partial risk assessment.

Full risk assessments apply to high-risk vendors and involve security questionnaires. Partial risk assessments apply to low-risk vendors with a degree of risk exposure that can be sufficiently tracked with automated risk scanning results.

Difference between a third-party risk assessment and a security questionnaire

A third-party risk assessment comprehensively evaluates the potential risks associated with each third-party vendor. Multiple data sources are referenced to form a complete picture of a vendor’s risk profile through a risk assessment.

A third-party risk assessment gathers risk insights across the following risk categories:

1. Operational Risk: The level of risk a third-party vendor poses to the availability of an organization’s operations.
2. Cybersecurity Risk: Any third-party risk impacting the safety and integrity of an organization’s sensitive data.
3. Compliance Risk: Vendor-related risks threatening alignment with regulatory standards.
4. Financial Risk: Risks originating from vendors that could result in financial issues. These could stem from third-party operational risks and even data breach risks, which could have significant financial consequences—an impact that could be estimated through a process known as Cyber Risk Quantification.
5. Reputational Risk: Any threats of reputational damage due to vendor behavior, such as questionable leadership decisions and data breaches.
6. Geographic Risk: Any risks associated with a vendor’s location or the location of their data servers.

Security questionnaires are a specific tool within the risk assessment process. They are used to create a gap analysis between a vendor’s security posture and any regulatory requirements or cybersecurity frameworks they need to align with.

Some popular industry standards security questionnaires could map to include:

• NIST Cyber Security Framework (NIST CSF)
• Payment Card Industry Data Security Standard (PCI DSS)
• General Data Protection Regulation (GDPR)
• Sarbanes-Oxley Act (SOX)
• Federal Information Security Management Act (FISMA)
• California Consumer Privacy Act (CCPA)

• Gramm-Leach-Bliley Act (GLBA)
• SOC 2
• ISO 27001

For more questionnaire template examples, see the list of questionnaires available on the UpGuard platform.

Third-party risk assessments are broad and comprehensive, covering multiple dimensions of risk. Security questionnaires collect information about specific security practices and regulatory compliance efforts.

6-step guide to completing third-party risk assessments

The following six-step guide will help you design the most comprehensive third-party risk assessment process.

Step 1: Identify your “critical” third-party vendors

Every third-party risk assessment process must prioritize critical vendors. These are the vendors with the highest potential impact on your organization due to the sensitivity of the data they handle, their operational importance, or their direct influence on your business continuity.

The level of a vendor's criticality is not always obvious and can vary significantly across different industries. Here are some examples of industry-specific challenges in identifying critical vendors:

• Healthcare: A healthcare organization's most critical vendors are often those that handle Protected Health Information (PHI). This includes not only electronic health record (EHR) providers but also cloud services that store patient data, telemedicine platforms, and even billing services. A breach at any of these vendors could lead to a massive data leak and severe legal penalties under HIPAA.
• Financial services: In the finance sector, criticality extends beyond just banking or payment systems. Many firms use a wide array of SaaS (Software as a Service) tools for customer relationship management, internal communications, and even HR. While an individual tool might seem low-risk, if it provides access to sensitive financial data or is integral to a core business process, it must be treated as a critical vendor.
• Retail: Retailers, particularly those with e-commerce operations, must identify critical vendors that are essential to their supply chain and customer experience. A third-party logistics (3PL) provider that handles all their e-commerce fulfillment and shipping is a prime example. If this vendor's system is compromised, it could bring the entire business to a standstill, resulting in significant financial losses and reputational damage.

To effectively identify these vendors, you can use two primary methods: a relationship questionnaire and superficial attack surface scanning. Both encompass the risk assessment process undertaken during the onboarding stage of the TRPM workflow. The questionnaire gathers high-level intelligence about a vendor's services and data handling, while the scanning uncovers potential security risks on their public-facing attack surface.

Relationship questionnaire

A relationship questionnaire gathers high-level intelligence about a vendor’s services, data security, and data handling practices.

Here’s a very simplified example of some of the information a relationship questionnaire could cover:

• Vendor Name: ______________________
• Description of Services Provided:: ______________________
• Types of Data Accessed:
  • Customer Data [ ]
  • Financial Data [ ]
  • Health Information [ ]
  • Intellectual Property [ ]
  • Operational Criticality:
  • High [ ]
  • Medium [ ]
  • Low [ ]
• Regulatory Compliance Requirements
  • GDPR [ ]
  • HIPAA [ ]
  • PCI-DSS [ ]
• History of Data Breaches or Security Incidents:
  • No [ ]
  • Yes [ ]
    • If Yes, please provide details: ______________________

Superficial attack surface scanning

Superficial attack surface scanning, performed during due diligence and onboarding, uncovers likely security risks associated with all domains in a vendor’s attack surface.

This practice is the first stage of a complete cybersecurity discipline known as Attack Surface Management.

Watch this video for an overview of Attack Surface Management:

Get a free trial of UpGuard >

Additional due diligence data gathering

Collectively, the data gathered through relationship questionnaires and superficial scanning results should provide a minimal level of risk exposure data required to decide which third-party vendor should be flagged as “Critical” and prioritized in risk assessment processes. However, this evidence-gathering process can be improved in terms of efficiency and depth of detail with a tool such as Trust Exchange by UpGuard.

Trust Exchange is a free tool that supports the seamless exchange of third-party security posture data between vendors and their business partners, simplifying and expediting third-party risk assessments.

Watch this video for an overview of Trust Exchange.

Get started with Trust Exchange for free >

EXAMPLE OF A COMPLETED EVIDENCE-GATHERING PROCESS

The following is an example of the type of data that could be collected during the evidence-gathering process. 

Not all data collection categories in this list are applicable to all TPRM use cases.

Vendor: XYZ Solutions

1. Documentation collected: some text
   • SOC 2 Type II Report
   • ISO 27001 Certification
   • Latest Financial Audit Report
   • Vendor’s Security Policies and Procedures
2. Security scan: some text
   • Vulnerability scan revealed outdated software versions on several servers.
3. Questionnaire responses: some text
   • Detailed responses to a PCI DSS compliance questionnaire highlighted strong encryption practices but noted a lack of regular employee security training.
4. Historical Data Review: some text
   • No significant data breaches reported in the past three years.
   • A compliance issue was noted two years ago but has since been resolved.
5. Stakeholder interviews: some text
   • Vendor’s CISO emphasized ongoing efforts to enhance security training programs.
   • Internal stakeholders expressed satisfaction with the vendor’s responsiveness and incident handling.
6. On-Site Visit: some text
   • Observed robust physical security controls, including access controls and surveillance systems in server rooms.
   • Noted that some employees were not following documented security procedures, indicating a need for improved internal enforcement.

Step 2: Separate "critical” vendors

After identifying all of your third-party vendors, it's crucial to categorize them into different tiers based on their level of risk and importance in your Vendor Risk Management platform. This strategic approach, known as vendor tiering, allows you to allocate your limited resources where they can have the greatest impact—on your highest-risk vendors.

Though common risk factors are prioritized, such as access to sensitive data and business continuity, emerging risks and concerns must also be considered in your classification process.

• Emerging Risks (ESG Factors): Environmental, social, and governance (ESG) factors are increasingly important. A vendor's poor environmental record, unsafe labor practices, or questionable corporate governance can pose a significant risk to your reputation and brand. For example, if a key supplier is found to be using child labor, it could lead to a public outcry, consumer boycotts, and a loss of investor confidence. Integrating ESG criteria into your risk assessments is no longer a "nice-to-have" but a strategic necessity.‍
• Fourth-Party Risk: It's also vital to consider the risks posed by your vendors' vendors, known as fourth-party risk. A vendor may have a strong security posture, but if they rely on a sub-vendor with weak controls, your organization could still be exposed. This creates a supply chain vulnerability that needs to be factored into your tiering strategy, especially for vendors that are highly critical to your operations.

Vendor tiering optimizes the allocation of TPRM resources, focusing efforts on where they have the greatest impact - on high-risk vendors with the greatest influence on your security posture.

A basic vendor tiering structure typically includes:

• Tier 1 (Critical vendors): Vendors that have the highest potential impact on your business due to data access, operational importance, or regulatory requirements. These require the most rigorous monitoring.
• Tier 2 (Important vendors): Vendors that are important but not critical. They pose a moderate risk and require regular oversight.
• Tier 3 (Low-Risk vendors): Vendors with minimal impact or risk, requiring only basic monitoring and periodic reviews.

Determining tiering levels requires a methodology for estimating risk impact. For support with this effort, refer to this post explaining vendor risk assessment matrices.

‍

Here’s an example 4-stage framework governing a vendor tiering strategy:

• Access to Sensitive Data: Does the vendor have access to sensitive data, including personal, financial, or proprietary information?
• Business Continuity Impact: How critical is the vendor’s service to the continuity of your operations?
• Regulatory Compliance: Is the vendor subject to stringent regulatory requirements (e.g., GDPR, HIPAA)?
• Financial Stability: What is the financial health of the vendor?

Here is an example of a completed vendor tiering strategy, accompanied by overviews that explain the reasons behind each tiering decision.

• Tier 1 (Critical Vendors): some text
  
  • Vendor A: Handles sensitive financial data, which is crucial for payment processing. Subject to PCI DSS.
  • Vendor B: Provides critical IT infrastructure services. Significant impact on business continuity.
• Tier 2 (Important Vendors): some text
  
  • Vendor C: Provides marketing services with access to non-sensitive customer data. Subject to GDPR.
  • Vendor D: Supplies office equipment. Moderate impact on operations.
• Tier 3 (Low-Risk Vendors): some text
  
  • Vendor E: Provides janitorial services. Minimal impact on business continuity and no access to sensitive data.‍
  • Vendor F: Supplies office stationery. Low risk and minimal impact.

Step 3: Determine which regulations apply to each third-party vendor

Regulatory compliance is a major driver of third-party risk assessments. Each industry has its own set of regulations designed to protect consumer data, ensure financial integrity, and maintain patient privacy. 

Regulatory risks arise from misalignment with regulatory standards, primarily due to poor cybersecurity practices. Compliance with regulations governing your business is directly impacted by the security postures of your vendors, which is why a growing number of regulations are increasing their emphasis on Third-Party Risk Management.

A thorough assessment must identify and verify a vendor's compliance with these standards, as any failure on their part can expose your organization to significant fines and legal action.

• HIPAA (Healthcare): The Health Insurance Portability and Accountability Act sets the standard for protecting sensitive patient data. Healthcare organizations must ensure that any vendor they work with—from cloud storage providers to electronic health record (EHR) platforms—is a HIPAA-compliant business associate. These vendors must have proper safeguards in place to protect Protected Health Information (PHI). Learn how UpGuard protects the healthcare industry from data breaches >

• PCI DSS (Retail): The Payment Card Industry Data Security Standard applies to any organization that stores, processes, or transmits credit card data. For retailers, this means that their e-commerce platforms, payment gateways, and any other third parties that handle payment information must be validated as PCI DSS compliant.
• SOX (Financial services): The Sarbanes-Oxley Act was created to protect investors from fraudulent financial reporting by corporations. It mandates strict reporting requirements and internal controls. Financial institutions and any vendors they use to handle financial data—such as auditors or financial software providers—must adhere to SOX compliance standards. Learn how UpGuard helps financial services prevent data breaches >

Ideally, all primary regulations applicable to each third-party vendor will be determined in Step 1 of this process, either through the submission of relationship questionnaires or the collection of compliance data through the Trust Exchange platform. The objective of this step is to ensure that all applicable regulations, whether stemming from the vendor’s industry or your own, are not overlooked.

All regulations impacting a vendor will determine the set of third-party security questionnaires that must be included in their risk assessment.

Each applicable regulation is likely to have specific cybersecurity standards that will need to be scrutinized with dedicated questionnaires. For example:

• PCI DSS security questionnaire: For vendors handling payment information, this questionnaire will uncover details about data encryption, access control, and transaction monitoring.
• GDPR Compliance Questionnaire: For vendors processing personal data of EU citizens, this questionnaire will uncover details about data handling practices, consent mechanisms, and data protection measures.
• HIPAA Compliance Questionnaire: For healthcare vendors, this questionnaire uncovers issues relating to the protection of Patient Health Information (PHI).

Understanding and mapping these regulations to each vendor is a key step in creating the security questionnaires and audits that will form the core of your assessment. This ensures that every question you ask is relevant and legally necessary.

‍

Step 4: Identify primary risks associated with each third-party vendor

A third-party risk assessment is a strategic exercise that identifies and prioritizes the most significant risks posed by your vendors. This step involves using the information gathered from your initial due diligence to create a detailed risk profile for each vendor.

One of the most effective strategies to streamline this process is to integrate your risk assessments into existing IT systems and workflows. Instead of managing assessments through scattered emails and spreadsheets, a centralized platform can automate data collection and analysis, streamlining the process.

• GRC Platforms: Governance, risk, and compliance (GRC) platforms are powerful tools for managing these aspects. They can automatically send out questionnaires, track responses, and map a vendor's security controls to multiple regulatory frameworks at once. This saves a tremendous amount of time and ensures that your risk data is always centralized and auditable.
• Vendor Portals: A dedicated vendor portal provides a secure, single-pane-of-glass environment for vendors to submit their documentation, respond to questionnaires, and communicate with your team. This eliminates the need for email attachments, ensuring that all information is properly logged and stored.
• API Integration: For a more advanced approach, you can use APIs to integrate your risk assessments with other security and IT tools. This enables automated data collection from sources such as threat intelligence feeds, continuous monitoring platforms, and public breach databases.

By integrating these assessments into your IT workflows, you can move from a reactive to a proactive risk management posture, ensuring that you're always one step ahead of potential threats.

The risk exposure data gathered up to this point should be sufficient for you to determine the likely risks associated with each vendor and their degree of severity. Remember, this effort doesn’t need to be detailed; the risk assessment performed in the next step should elevate the level of detail in cyber risk data to a sufficient level. The purpose of this step is to estimate the likely degree of effort required for each risk assessment.

EXAMPLE OF A DRAFT THIRD-PARTY VENDOR RISK EXPOSURE PROFILE

Vendor: ABC Corp

1. Operational Risks: some text
   
   • Risk: System failure due to outdated infrastructure
   • Likelihood: Medium
   • Impact: High
   • Mitigation: Regular maintenance and upgrades
2. Financial Risks: some text
   
   • Risk: Financial instability due to high debt
   • Likelihood: Low
   • Impact: Medium
   • Mitigation: Financial health monitoring
3. Compliance Risks: some text
   
   • Risk: Non-compliance with GDPR
   • Likelihood: High
   • Impact: High
   • Mitigation: Regular compliance audits
4. Data/Privacy Risks: some text
   
   • Risk: Data breach due to insufficient encryption
   • Likelihood: Medium
   • Impact: High
   • Mitigation: Implementation of robust encryption protocols
5. Reputational Risks: some text
   
   • Risk: Negative publicity from a previous breach
   • Likelihood: Low
   • Impact: High
   • Mitigation: PR management and improved security measures
6. Geographic Risks: some text
   
   • Risk: Regulatory changes in the operating region
   • Likelihood: Medium
   • Impact: Medium
   • Mitigation: Regular monitoring of local regulations
7. Supply Chain Risks: some text
   
   • Risk: Disruption due to subcontractor failure
   • Likelihood: Medium
   • Impact: High
   • Mitigation: Vetting and monitoring of subcontractors

For more examples of high-level vendor risk evaluations in different risk contexts, refer to this post on Vendor Risk Management examples.

‍

Establishing a draft third-party risk exposure profile informs the level of focus of subsequent risk assessment activities.

Step 5: Send third-party risk assessments

The fifth step is to send out the risk assessments, which now contain a unique set of questionnaires and audit requirements tailored to the vendor's criticality and regulatory obligations. However, the assessment process doesn't end once the vendor submits their responses. To be truly effective, a third-party risk strategy requires continuous monitoring.

• Continuous monitoring: An initial risk assessment provides a snapshot of a vendor's security posture at a single point in time. But vulnerabilities and threats evolve. Continuous monitoring is the practice of constantly tracking a vendor's security, performance, and compliance to identify new risks as they emerge. This can be done through automated tools that scan for vulnerabilities, monitor for data breaches, and track changes in a vendor’s public-facing attack surface.
• Re-assessment triggers: Beyond automated monitoring, organizations should establish specific triggers for re-assessing their vendors. A re-assessment might be necessary if the vendor experiences a major security incident, if there is a significant change in their services, or if a new regulation is introduced that affects your business.

Performance tracking: To measure the effectiveness of your risk program, you should track key risk indicators (KRIs). These might include metrics like a vendor's average time to patch a critical vulnerability, the number of security incidents they report, or the results of their most recent compliance audit.

Now, you’re ready to send the actual risk assessment. Each risk assessment will include a unique set of questionnaires, depending on the regulatory and industry standards applicable to each third-party vendor.

For a more detailed overview of what’s included in a risk assessment, refer to this vendor risk assessment example.

Watch this video for an overview of the complete risk assessment workflow.

Get a free trial of UpGuard >

Step 6: Collaborate efficiently with third-party vendors to expedite assessment completion

The final step in the third-party risk assessment process is often the most challenging: collaborating with vendors to complete the assessment. Inefficient communication and a lack of clear workflows are among the leading causes of delayed vendor risk assessments, leaving your organization exposed to unmitigated risks.

Every third-party risk management strategy should be supported by streamlined vendor collaboration workflows, ideally consolidated within your TPRM solution and not dispersed across multiple email chains.

Streamlining vendor collaboration is essential for a scalable risk management program. 

Related: Top 8 Third-Party Risk Assessment Software Options in 2025

Modern platforms and best practices can help improve turnaround times and foster stronger relationships with your vendors.

• Case Studies in Success: One company, for example, used an automated platform to manage its vendor assessments. The platform created a centralized workflow that automatically sent out questionnaires, tracked completion progress in real-time, and sent automated reminders to vendors. This shift from manual emails and spreadsheets to an automated system reduced the average assessment turnaround time by 40%, significantly improving their overall security posture.
• Communication Best Practices: Effective communication is key. To improve collaboration, organizations should:
  
  • Provide a Single Point of Contact: Assign a dedicated risk manager to each critical vendor to answer questions and provide support, preventing confusion and delays.
  • Offer Clear Instructions: When sending a questionnaire, provide a clear and easy-to-understand guide on how to complete it, along with the required documentation.
  • Be a Partner, Not an Auditor: Frame the assessment as a collaborative effort to enhance the security of both parties. Offer to share insights and best practices from your own security team to build a relationship based on trust.

By treating the assessment as a two-way street, you can transform a tedious, administrative task into a valuable opportunity to build a more resilient and secure supply chain.

‍

Collaboration workflows should cater to all parties involved in service provider security questionnaire completions.

Third-party vendor collaborations are primarily required during security questionnaire completions when clarification is needed the most.

Watch this video to learn how UpGuard solves the complex problem of vendor collaboration during questionnaire processes.

‍

Download this vendor risk assessment checklist to bring a uniform approach to your risk assessments and strengthen your ability to identify risks.