Vendor Risk Management Checklist

Last updated by Abi Tyas Tunggal on May 19, 2020

scroll down

Vendor risk management (VRM) is a broad category that encompasses all measures that your organization can take to prevent data breaches and ensure business continuity. Legal issues, past performance, and creditworthiness are some of the common VRM issues that all companies review frequently. Additionally, cybersecurity and the reduction of third-party security risks are increasingly important.

An efficient vendor risk management audit process ensures that your vendor assessment process stays current, protects sensitive information, and improves your organization's risk management process.

For organizations to truly be protected they must audit and continuously monitor not only their third-party relationships, but also the standards, regulations, and best practices they use as the foundation of their third-party risk management framework.

That's why we've put together this vendor risk management checklist to help you develop a robust vendor risk management program.

Table of contents

What are the steps in a vendor management audit?

Any successful audit begins with establishing an audit trail. This includes the third-party risk assessment framework and the operating model, living documents that guide the process, as well as categorize vendors based on a security risk assessment that uses an approved methodology. 

Next, organizations must supply vendor report reviews that prove ongoing governance throughout the vendor lifecycle.

What should the third-party risk assessment framework and methodology documentation contain?

Before you can assess a third-party vendor or establish your operating model, you need to develop a third-party risk assessment framework and methodology that categorizes vendors based on predetermined inputs. 

Your choice of third-party risk management framework should be based on your regulatory requirements, acceptable level of risk, use of third-parties, business processes, joint ventures, compliance requirements, and overall enterprise risk management strategy. It will likely take into account the desires of senior management and the Board of Directors.

Read our guide on how to select a third-party risk assessment framework for more

What does an organization need as part of its operating model documentation?

The operating model refers to the policies, procedures, processes, and people you have in place to guide your vendor management processes. Many organizations, consistent with regulatory expectations, organize their operating model into three lines of defense (LOD):

  1. The business line, which generates, owns, and controls the risk.
  2. The support functions, which provide oversight to the first line, and include the risk disciplines of operational risk and compliance among others. 
  3. The internal audit, whose remit is derived from the board to process-audit the first and second lines of defense

These lines (and the documents that outline their functions) act as the foundation fo any third-party risk management program. Here is a list of checks you can use to assess the maturity of your operating model and documentation.

Risk assessment policy

__ Has a structured way of assessing information value

__ Has documented and established risk assessment methodology (qualitative, quantitative or a combination)

__ Identifies and prioritizes assets

__ Identifies common threats

__ Identifies vulnerabilities

__ Has a consistent and non-bias way to assess vendors such as a security ratings tool

__ Analyzes existing and where necessary, implements new controls

__ Calculates the likelihood and impact of various scenarios on a per-year basis

__ Prioritizes risks based on the cost of prevention vs information value

__ Documents results in a risk assessment report

__ Uses a well-established security questionnaire

Read our full guide on how to perform an IT cyber security risk assessment here

Vendor management policy

__ Vendors are categorized by risk

__ Assesses and establishes minimum requirements for human resources security

__ Assesses and establishes minimum requirements for physical and environmental security

__ Assesses and establishes minimum requirements for network security 

__ Assesses and establishes minimum requirements for data security

__ Assesses and establishes minimum requirements for access control

__ Assesses and establishes minimum requirements for IT acquisition and maintenance

__ Requires vendors to document their vendor risk management program

__ Outlines vendor's incident response plan requirements

__ Defines the vendor's business continuity and disaster recovery responsibilities

__ Sets out vendor compliance requirements

__ Outlines acceptable vendor controls

__ Sets out minimum vendor review requirements (e.g. SOC 2, site visits, and auditing requirements)

Read our full guide on vendor management policies here

Vendor management procedures

__ Has workflow to engage in vendor management review

__ Designates a stakeholder to track vendors, relationships, subsidiaries, documents, and contacts

__ Has someone who is responsible for vendor due diligence

__ Uses software to deliver and collect vendor risk assessments such as UpGuard Vendor Risk

__ Has a documented process to coordinate legal, procurement, compliance, and the rest of the business when onboarding, working with, and offboarding a vendor

__ Has metrics and reports used to assess the performance of a vendor 

What documentation supports vendor report reviews and ongoing governance?

Vendor report reviews are an important part of ongoing governance. This can come in the form of continuous security monitoring or manual review of documentation that attests to security. Here are a few checks you can use to understand your vendor report maturity:

__ Reviews audit reports like SOC 2 and ISO

__ Reviews security questionnaires

__ Reviews financial reports

__ Reviews financial controls policy

__ Reviews operational controls policy

__ Reviews compliance controls policy

__ Reviews reported data breaches and data leaks

__ Reviews access control policy

__ Reviews change management policy

Note these reviews should be on a regulator basis to ensure changes do not go unnoticed. 

What is vendor lifecycle management?

Vendor lifecycle management is a cradle-to-grave approach to managing vendors in a consistent way. Vendor lifecycle management places an organization's vendors at the heart of the procurement process by recognizing their importance and integrating them into the procurement strategy. 

Any good vendor risk management program starts with adequate due diligence on all third-party vendors and service providers. This can be done with a combination of continuous security monitoring and attack surface management tools that can automatically assess the externally observable information security controls used by existing and new vendors. 

Once this initial stage has been completed, any high-risk vendors should be sent a vendor risk assessment to complete that can assess their internal security controls, regulatory compliance, and information security policies.

In general, modern vendor lifecycle management involves five stages:

  1. Qualification: This first phase starts with the process of need identification and solicitation. This can involve simply searching the web or be a complicated RFP process where potential vendors are informed about your organization's need to acquire a specific good or service.
  2. Engagement: Once a vendor has been selected, they undergo a vendor onboarding process where both you and the vendor are onboarded.
  3. Information security management: This stretches from the initial contact of a potential vendor through to the delivery of the good or service and to the end of the vendor relationship. Information security isn't traditionally part of vendor risk management. However, the risk of security breaches has increased which has led to its inclusion. This stage is different to the other stages as the controls that protect customer data and sensitive data need to continually evolve as threats change. 
  4. Delivery: This is where the vendor delivers the good or service and also includes vendor performance management which can reduce reputational risk and improve disaster recovery.
  5. Termination: This stage is straightforward for a low-value vendor. However, if it is a high-value vendor, offboarding can be anything but simple. To ensure vendors are offboarded properly, you need to ensure all contractual obligations are fulfilled and any sensitive data has been handed over or destroyed. 

Before diving into vendor lifecycle management, you need to plan out your supplier relationship management process from beginning to end. This will aid in future audits as you'll be able to find any vendor risk management policies, procedures, and processes that address each step in the lifecycle. 

We've compiled a list of possible checks you can use that can play a role in the procurement process and aid decision making. Not every item is necessary, but the more you complete, the more you'll be able to mitigate risk. 

With that said, due diligence processes will vary by company, industry, and region. Some regulations such as HIPAA dictate specific due diligence practices and some industries have adopted standardized processes. Additionally, requirements can be different based on the type of vendor being assessed. 

Vendor qualification checklist

Collecting this information ensures that the company is legitimate and licensed to do business in your sector. You'll also want to collect information on key people for use in further risk assessments.

__ Have articles of incorporation (or corporate charter)

__ Have a business license

__ Provided company structure overview

__ Provided biographical information of senior management and Board members

__ Located in a country that is within our acceptable risk level

__ Provided proof of location via photographs, on-site visit, or video conference

__ Provided references from credible sources

__ Obtained insurance documentation

After assessing that the business is legitimate, you'll want to asses whether the vendor is financially solvent and paying taxes. There's no point using a vendor due to close up shop in the next month. Conversely, strong growth in a vendor could forecast increased prices later.

__ Obtained tax documents

__ Reviewed balance sheet and financial statements

__ Understand credit risk and other liabilities

__ Reviewed major assets

__ Understand compensation structure, staff training, and licensing

Vendor engagement checklist

Now that you've assessed that the vendor is a legitimate business who is financially solvent, it's important to understand they are on any watchlist, have negative news, or could pose a danger to your organization. This is important because vendors often have access to sensitive information or systems. Corruption or political weaknesses can be dangerous and a security incident at a vendor can affect your organization too.

__ Vendor is not on any watch lists, global sanctions lists, or lists published by regulators

__ Key personnel have been checked against politically exposed persons (PEP) lists and law enforcement lists

__ Risk-related internal policies and procedures have been reviewed

__ Reviewed reports from agencies like Consumer Financial Protection Bureau

__ Reviewed vendor's and key personnel's litigation history 

__ No negative news reports or acceptable level of negative news

__ Acceptable amount of negative reviews and complaints on sites like G2 Crowd and Gartner

Now that you've assessed that the vendor is suitable from a political and operational risk perspective, you should assess whether the business has appropriate business continuity planning in place. You want to know whether the vendor is exposed to operational risks that could negatively impact your organization. This could be downtime for a SaaS provider or key personnel turnover for a services business. 

__ Vendor has an incident response plan

__ Vendor has a disaster recovery plan

__ Vendor has adequate business continuity planning

__ Employee turnover rates are acceptable

__ No pending or past employee lawsuits or other indicators of toxic culture

__ Acceptable amount of negative employee reviews on Glassdoor

__ Vendor has a code of conduct in place

Finally, it's time to assess the quality of the contract itself. 

__ Contract has defined terms and timeframes

__ Contract includes a statement of work

__ Contract includes delivery dates

__ Contract includes a payment schedule

__ Contract includes information security requirements

__ Contract includes supply chain and outsourcing information security requirements

__ Contract includes termination or renewal information

__ Contract includes a clause to be able to terminate contract when security requirements are not met

Vendor information security management checklist

Data breaches often originate from third-party vendors. Not only are they frequent, but they are also increasingly costly. The average cost of a data breach involving a third-party is now close to $4.29 million globally. 

__ Vendor has a security rating that meets our expectations

__ Vendor security rating has been benchmarked against their industry

__ Vendor has invested in data protection and information security controls

__ Vendor uses access control such as RBAC

__ Vendor is willing to complete a risk assessment checklist 

__ Vendor has provided an IT system outline

__ Penetration testing results for the vendor are acceptable

__ Visited vendor's site to assess physical security

__ Vendor does not have a history of data breaches

__ Vendor employees do routine cybersecurity awareness training

__ Vendor doesn't introduce an unacceptable level of cyber risk

Vendor services delivery checklist

Once you've come to terms with the information security management requirements, it's time to monitor how the vendor is delivering the services (or goods) that you paid for.  

__ Deliverables are scheduled

__ Receivables are scheduled 

__ Senior management understands who is responsible for working with the vendor

__ Security team accepts any physical access requirements

__ Security team accepts system access requirements

__ Invoice schedule is established

__ Payment mechanism is established

Vendor termination checklist

Finally, the last part of the vendor management lifecycle is to understand how to offboard the vendor. This stage can range from simple to incredibly complex, depending on how intertwined your business is with the vendor. To ensure you offboard vendors properly, ensure that you develop a robust checklist. Here are some checks that you can use.

__ Physical access has been revoked

__ System access has been revoked

__ Contractual obligations have been fulfilled

__ Sensitive data has been handed over or destroyed

How UpGuard can enhance your vendor risk management program

Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar, and NASA use UpGuard's security ratings to protect their data, prevent data breaches and assess their security operations.

UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates.

We can also help you instantly benchmark your current and potential vendors against their industry, so you can see how they stack up.

For the assessment of your information security controls, UpGuard BreachSight can monitor your organization for 70+ security controls providing a simple, easy-to-understand cyber security rating and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos, and more.

The major difference between UpGuard and other security ratings vendors is that there is very public evidence of our expertise in preventing data breaches and data leaks

Our expertise has been featured in the likes of The New York Times, The Wall Street Journal, Bloomberg, The Washington Post, Forbes, Reuters, and TechCrunch.

You can read more about what our customers are saying on Gartner reviews.

If you'd like to see your organization's security rating, click here to request your free Cyber Security Rating.

Get a 7 day free trial of the UpGuard platform today.


Related posts

Learn more about the latest issues in cybersecurity