The Complete Guide to Vendor Risk Assessment in 2025

Your vendors are your risk surface now

The MOVEit breach in 2023 didn't hit 2,500+ organisations because those organisations messed up. Their file transfer vendor did. And suddenly everyone downstream was dealing with the fallout.

That's the uncomfortable truth about modern enterprise security. Your perimeter doesn't end at your firewall anymore. It extends through every vendor, every integration, every API key you've handed to a third party.

Some numbers that should keep you up at night: - 60% of data breaches trace back to a third party (per IBM's Cost of a Data Breach Report) - The average enterprise shares sensitive data with over 1,500 vendors - Only 36% of organisations actually have a comprehensive vendor risk program

Vendor risk assessment isn't some nice-to-have checkbox. Enterprise customers expect it. Regulators demand it. And your cyber insurer? They're definitely asking about it.

What a mature vendor risk program looks like

A solid Third-Party Risk Management (TPRM) program has five moving parts, and honestly, most teams only nail two or three of them before things start to slip.

1. Know who you're working with

Sounds obvious, right? But you'd be surprised. Most organisations discover two to three times more vendors than they thought they had once they actually sit down and catalogue everything.

Build an inventory that covers: - Every vendor with access to your systems or data - What kind of data they can touch (PII, financial records, health data, IP) - How they connect (API, VPN, physical access, user accounts) - How critical they are to your day-to-day operations

This part is tedious. Do it anyway.

2. Tier your vendors

Not every vendor deserves the same level of scrutiny. Your cloud infrastructure provider and your office coffee supplier are not in the same risk category, so stop treating them like they are.

3. Actually assess them

For your top-tier vendors, run a proper security assessment with a standardised questionnaire. You want to cover: - Security program basics. Do they have a CISO? An actual documented security policy, or just vibes? - Access controls. How do they handle authentication and authorisation? - Data handling. Where does your data live, how does it travel, and what happens when the relationship ends? - Incident response. When (not if) something goes wrong, how fast will they tell you? What's their playbook? - Certifications. SOC 2, ISO 27001, PCI DSS, HIPAA BAA. Show me the receipts. - Subprocessors. Who are their vendors touching your data? It's turtles all the way down.

4. Don't stop after the first assessment

Here's where programmes quietly fall apart. You do the initial assessment, file it away, and don't look at it again until renewal time. By which point the vendor's security posture could have changed dramatically.

Layer in ongoing monitoring: - Automated questionnaire refreshes that trigger annually on their own - Threat intelligence feeds that alert you when a vendor shows up in breach databases - Financial health tracking, because a vendor in financial trouble often lets security slip first - News monitoring for public incidents, regulatory fines, adverse media

5. Remediation and offboarding

When a vendor has findings, issue a formal remediation request with a clear deadline. Track progress. Escalate if they miss their SLAs. For critical findings, start thinking about contingency plans or contractual remedies.

And when you part ways with a vendor: - Kill all their access credentials immediately - Confirm they've deleted your data per the contract - Document everything in your vendor registry

Treat offboarding as a security event, because that's exactly what it is.

Building your security questionnaire

A good questionnaire strikes a balance. Thorough enough to surface real risks, short enough that vendors will actually complete it without ghosting you.

Structure it around these domains:

1. Governance and Policy (10-15 questions)
2. Access Management (10-12 questions)
3. Data Security and Privacy (12-15 questions)
4. Vulnerability Management (8-10 questions)
5. Incident Response and Business Continuity (8-10 questions)
6. Third-Party and Supply Chain (5-8 questions)
7. Physical Security (4-6 questions)

That lands you at roughly 57-76 questions for a full assessment. For lower-tier vendors, pare it down to 15-20 questions. Nobody needs a 70-question deep dive on the company that delivers lunch.

Mistakes I keep seeing

Assess once, forget forever. A clean SOC 2 report from 2022 tells you nothing about what's happening today. Build in annual refresh cycles or accept that your risk picture is fiction.

Treating certifications as gospel. Having a SOC 2 report means controls exist. It doesn't mean those controls are sufficient for your use case. Read the actual report. Don't just check whether they have one.

One-size-fits-all assessments. Sending that 70-question beast to every vendor regardless of tier wastes everyone's time and burns vendor goodwill. Right-size the effort.

Contracts without teeth. Your vendor agreements need specific breach notification timelines, audit rights, and data deletion obligations. Vague "best efforts" language won't help you when things go sideways.

Spreadsheets at scale. If you're emailing Excel files to 200+ vendors and calling that a programme... look, I get it, everyone starts somewhere. But at any real scale, you need automation.

Scaling with the right tools

Platforms like Sunspot automate the grunt work: dispatching questionnaires, chasing responses, scoring answers, and flagging high-risk vendors for human review. Your team gets to focus on judgment calls instead of admin overhead.

Things worth looking for in a TPRM platform: - Automated questionnaire dispatch and follow-up - AI-assisted response scoring - Continuous monitoring integrations (threat intel, financial health) - Evidence storage with a proper audit trail - Integration with your existing GRC workflow

---

Ready to stop managing vendor risk in spreadsheets? See how Sunspot handles third-party risk