Vendor tiering is the key to a more resilient and sustainable third-party risk management strategy. But like all cybersecurity controls, it must be supported by the proper framework.

To learn how to optimize your Vendor Management and Vendor Risk Management programs to greater efficiency through best vendor tiering practices, read on.

What is Vendor Tiering?

Before addressing its infrastructure, it's important to recap the primary components of vendor tiering.

Vendor tiering is the process of categorizing vendors based on their level of threat criticality. Each third-party vendor is separated into different threat tiers ranging from low-risk,  high-risk, and critical risk.

Vendor Tiering on the UpGuard platform
Figure 1: Vendor Tiering on the UpGuard platform

By doing this, remediation efforts can be distributed more efficiently. Instead of maintaining the same level of risk assessment intensity across all vendors (which in many cases isn't necessary), the majority of risk management efforts can be focused on the vendors posing the greatest cybersecurity risks to an organization.

This ensures security postures remain as high as possible at all times, even during digital transformation.

The Benefits of Vendor Tiering

The benefits of vendor tiering is best appreciated by considering its impact on the risk assessment process.

Rather than manually tracking third-party risk profiles, vendors can be grouped by the specific risk assessments they require.

Cybersecurity regulations specific to each vendor tier

Such an arrangement allows security teams to quickly identify the regulatory requirements of each tier so that entities in highly regulated industries (such as healthcare and financial services) can be monitored with greater scrutiny.

Learn the importance of including your VRM efforts in executive reporting >

The Vendor Tiering Process

There are two primary strategies for assigning vendors to tiers.

  • Questionnaire-based tiering - uses a classification algorithm to assign a criticality rating based on questionnaire responses.
  • Manual tiering - Vendors are manually sorted into risk tiers based on an organization's personal preferences.

Regardless of whether tiering is questionnaire-based or manual, the third-party risk data must first be collected. This is done either through security questionnaires or vendor risk assessments.

Once collected, a risk analysis is performed to evaluate each specific third-party risk and its likelihood of exploitation, with the assistance of a risk matrix. Both inherent risk and residual risks should be considered.

Risk matrix example

The objective of a risk analysis is to specify how each third-party risk should be addressed - whether it should be accepted, addressed, or monitored. These decisions should be based on a range of risk exposure categories, including reputational and, most importantly, financial risk.

Learn how to perform a cyber risk analysis >

Vendors linked to a majority of risks that must be remediated could then assign to a critical vendor tier and those with an acceptable risk majority to a less critical tier.

The UpGuard platform offers the option of either manual vendor tiering or automated tiering based on responses collected from security questionnaires. This is just one capability among a host of automation features UpGuard offers to support vendor risk management teams.

Learn how UpGuard uses AI to streamline the VRM lifecycle >

Vendor Tiering Best Practices

The following 4-step framework will streamline the execution of a vendor tiering program and support an efficient Vendor Risk Management (VRM) workflow.

1. Use Security Ratings to Evaluate Risk Postures

Security ratings offer a more rapid representation of each vendor's security posture by assigning each vendor a score based on multiple attack vectors. Rather than manually completing a risk analysis for each identified vulnerability, security ratings instantly reflect a vendor's estimated security posture, if they're calculated by an attack surface monitoring solution.

This feature also streamlines due diligence when onboarding new vendors.

Organizations could specify a minimal security rating threshold each vendor must surpass based on the cybersecurity industry-standard 950 point scale.

But this shouldn't be the only third-party risk security control, but rather, a complementary addition to a suite of defense strategies.

This is because security ratings fail to consider the specific risks that have the greatest on their calculation - unless they're supported by a remediation planning feature.

Security rating will also indicate whether a Vendor's tiering classification needs to be evaluated. For example, if a vendor acquires another business with poor security practices, their security rating will drop, reflecting an ecosystem with increased vulnerabilities.

Each vendor's security risk weighting can also be represented through a risk matrix in a cybersecurity report generated from the UpGuard platform, allowing stakeholders to instantly understand the degree of risk associated with each vendor.

vendor risk overview on the upguard platform
Vendor Risk overview feature on the UpGuard platform.

2. Map Risk Assessment Responses to Security Frameworks

Unfortunately, your vendors aren't likely to take cybersecurity as seriously as you do. Because of this, all questionnaire and risk assessment responses should be mapped to existing cybersecurity frameworks to evaluated compliance against each security standard.

Many cybersecurity frameworks, such as the highly anticipated DORA regulation have a heavy emphasis on securing the vendor attack surface to prevent third-party data breaches

The higher security standards for service providers is a result of the recent proliferation of supply chain attacks

Next generation supply chain attack trends 2019-2020
Figure 4: Rising trend of supply chain attacks 2019-2020

Some examples of common cyber security frameworks are listed below:

The UpGuard platform maps to popular security frameworks from a range of offers a range of questionnaires including:

  1. CyberRisk Questionnaire
  2. ISO 27001 Questionnaire
  3. Short Form Questionnaire
  4. NIST Cybersecurity Framework Questionnaire
  5. PCI DSS Questionnaire
  6. California Consumer Privacy Act (CCPA) Questionnaire
  7. Modern Slavery Questionnaire
  8. Pandemic Questionnaire
  9. Security and Privacy Program Questionnaire
  10. Web Application Security Questionnaire
  11. Infrastructure Security Questionnaire
  12. Physical and Data Centre Security Questionnaire
  13. COBIT 5 Security Standard Questionnaire
  14. ISA 62443-2-1:2009 Security Standard Questionnaire
  15. ISA 62443-3-3:2013 Security Standard Questionnaire
  16. GDPR Security Standard Questionnaire
  17. CIS Controls 7.1 Security Standard Questionnaire
  18. NIST SP 800-53 Rev. 4 Security Standard Questionnaire
  19. SolarWinds Questionnaire
  20. Kaseya Questionnaire

To see how these assessments are managed in the UpGuard platform, request a free trial.

3. Set Clear Expectations from Vendors

The effectiveness of a Third-Party risk management program (TPRM) is proportional to the level of commitment by all parties.

Before establishing any vendor relationship, all expectations pertaining the third-party security must be clearly communicated upfront.

The following areas will address the common communication lapses impacting third-party security.

  • Identify key decision-making staff across senior management.
  • Set frequency of cyber threat reporting.
  • Business continuity plans in the event of a cyber incident.
  • Any key security metrics that must be monitored and addressed
  • Cyber threat reporting expectations as specified in the procurement agreement.
  • Establish clear roles and responsibilities across all categories of vendor risk management (legal, information security, business continuity, regulatory compliance, etc)
  • Set resilient service level agreements (SLAs) to prevent the disruption of business processes in the event of a data breach or cyber attack.
  • Include steep termination costs in contracts (this will ensure vendors actually address all security issues rather than breaking partnerships).
  • Implement a data backup plan - in the event service level agreements are breached.

Download your data breach prevention guide >

Ongoing Monitoring of the Third-Party Attack Surface

Even after all security controls have been implemented, the attack surface across all risk categories should be continuously monitored. This will not only indicate any sudden lapses in security posture in real-time, but it will also verify the legitimacy of all vendor risk assessment responses.

This is especially an important requirement for high-risk vendors. An attack monitoring solution will instantly alert security teams when a critical vulnerability impacting the supply chain is discovered. Such advanced awareness allows such exposures to be addressed before they're discovered by cybercriminals.

UpGuard Can Help Tier Your Vendors

UpGuard offers a vendor tiering feature to help organizations significantly increase the efficiencies of their Vendor Risk Management programs. With the addition of automated vendor classification, UpGuard empowers businesses to say goodbye to manual processes and hello to efficiency.

To support efficient vendor risk management, UpGuard also offers a remediation planning feature to highlight the specific remediation efforts that have the greatest impacts on security postures. When used harmoniously, vendor tiering and remediation planning prepare security programs to sustain increasing demands on third-party security.

Remediation impact projections on the UpGuard platform.
Remediation impact projections on the UpGuard platform.
Streamlined vendor risk remediation processes means your sensitive data is less vulnerable to cyberattacks


Ready to see
UpGuard in action?