Vendor risk assessment template

Use this template to assess supplier security, privacy, data access, business criticality, AI use, compliance evidence, risk score, mitigation owners, and approval decisions before onboarding or renewal.

Download CSV Download Markdown View scoring model Build answer library

Assessment previewSecurity, GRC, procurement

VendorAI customer support tool

Risk tierHigh impact / Medium likelihood

EvidenceSOC 2, DPA, subprocessors, access controls

DecisionMitigate before production use

What this template gives you

It is designed for teams that need a reusable vendor review artifact, not a long theory page.

Downloadable templateCSV and Markdown versions that procurement, GRC, security, and privacy teams can adapt immediately.

Risk scoring modelSimple scoring for data sensitivity, business criticality, access level, compliance exposure, evidence quality, and AI use.

Supplier questionsA starter questionnaire for security controls, privacy, subprocessors, incident response, compliance evidence, and AI automation.

Reusable evidenceOutputs can feed security questionnaires, privacy reviews, risk registers, renewal reviews, and vendor approval records.

Recommended vendor risk assessment fields

These fields keep supplier review useful for procurement, security, privacy, GRC, and customer due diligence.

Vendor nameThe supplier, SaaS tool, service provider, AI platform, consultant, or data processor under review.

Service or productWhat the vendor provides and which internal workflow, team, product, or customer process depends on it.

Business ownerThe internal owner accountable for vendor use, renewal, risk acceptance, and mitigation follow-up.

Data accessWhether the vendor handles public data, business data, confidential data, personal data, PHI, credentials, or customer content.

Business criticalityHow disruptive the vendor failure, breach, or outage would be to revenue, operations, compliance, or customers.

Security controlsMFA, SSO, encryption, access review, vulnerability management, incident response, backups, and audit logging.

Privacy and data processingDPA, BAA, subprocessors, retention, deletion, data location, purpose limitation, and privacy review status.

Compliance evidenceSOC 2, ISO 27001, CAIQ, SIG, penetration test summary, security whitepaper, policies, or customer trust center.

AI or automation useWhether the vendor uses AI, agents, MCP servers, automated decisions, model providers, or customer-data training.

Risk scoreA simple total score that combines data sensitivity, access level, criticality, compliance exposure, and evidence quality.

Risk tierLow, medium, high, or critical tier used to decide review depth, approval path, and renewal frequency.

Mitigation ownerThe person responsible for requesting evidence, closing gaps, approving exceptions, or blocking use.

Vendor risk scoring model

Score each factor from 0 to 3. The goal is consistent triage, not a formal certification.

Data sensitivity0 for no sensitive data, 1 for business data, 2 for personal or confidential data, 3 for regulated or high-impact data.

System criticality0 for optional, 1 for team workflow, 2 for customer-facing or revenue workflow, 3 for mission-critical operations.

Access level0 for no access, 1 for read-only limited access, 2 for broad read/write access, 3 for admin, credential, or production access.

Compliance exposure0 for no compliance impact, 1 for internal policy only, 2 for customer commitments, 3 for regulated or contractual obligations.

AI and automation0 for no AI use, 1 for internal AI only, 2 for AI processing customer data, 3 for agent/tool access or automated high-impact decisions.

Evidence quality0 for strong current evidence, 1 for partial evidence, 2 for stale evidence, 3 for missing or unverifiable evidence.

0-4: Low

Approve with standard owner review and renewal tracking.

5-8: Medium

Request core evidence and document open risks before approval.

9-13: High

Require security, privacy, and business-owner approval before use.

14-18: Critical

Escalate to formal risk acceptance, mitigation plan, or block until gaps are closed.

Download scoring worksheet Score questionnaire readiness

Supplier questionnaire starter questions

Use these questions to collect evidence before assigning risk tier or approval status.

What customer, employee, patient, or business data will the vendor access?Identify data categories, systems, environments, retention period, and whether data is stored, processed, or only viewed.

What security evidence can the vendor provide?Request SOC 2, ISO 27001, CAIQ, SIG, penetration test summary, security policy, access control policy, and incident response evidence.

Which subprocessors or fourth parties are involved?Document hosting providers, AI providers, support vendors, analytics tools, data locations, and subprocessor notification process.

How are access, authentication, and privileged actions controlled?Review SSO, MFA, RBAC, admin access, support access, offboarding, access reviews, and audit logs.

How does the vendor handle incidents and breach notification?Ask for notification timelines, escalation contacts, incident history, customer communication process, and evidence retention.

Does the vendor use AI, agents, or automated decisioning?Record model providers, customer-data use, opt-out paths, human review, tool permissions, logs, and prompt injection controls.

Example starter rows

These examples show how to turn vendor intake into risk scenarios and evidence requests.

Vendor type	Use case	Data access	Risk scenario	Evidence to request
Payroll provider	Employee compensation and tax workflow	Employee PII, bank data, tax records	Regulated personal data exposure	SOC 2, DPA, access controls, incident response, subprocessor list
AI customer support tool	AI-assisted support triage and answer drafting	Customer contact data, ticket content, account metadata	Sensitive data exposure or incorrect automated routing	AI governance notes, DPA, retention limits, human review, audit logs
Cloud analytics tool	Product analytics and event tracking	Usage events, identifiers, device metadata	Unexpected tracking, retention, or vendor reuse	DPA, privacy review, retention policy, opt-out review, access controls
Healthcare data processor	Patient portal message processing	ePHI, patient identifiers, authentication logs	Unauthorized access or incomplete HIPAA evidence	BAA, HIPAA controls, access logs, encryption, incident response

Download CSV template Download Markdown version

Connect it to security and privacy review

A useful vendor assessment should feed supplier questionnaires, privacy review, and answer-library evidence.

Security questionnaire answers

Reuse approved vendor evidence when customers ask how third parties and suppliers are reviewed.

Open

Privacy risk assessment

Connect vendor review to data categories, subprocessors, DPA, BAA, retention, and high-risk processing.

Open

AI vendor review

Add fields for AI providers, agent tool access, prompt injection controls, audit logs, and MCP gateway boundaries.

Open

Software selection

Compare tools by whether they preserve evidence, owners, risk tier, approval status, and renewal history.

Open

Evidence and source trail

Use recognized sources and internal records to support supplier risk decisions.

NIST SP 800-161 Rev. 1

External source

Open

NIST guidance supports identifying, assessing, and mitigating cybersecurity supply-chain risks across products and services.

SOC 2 report

Related template

Open

Use SOC 2 evidence to review security controls, control ownership, monitoring, incident response, and audit scope.

Privacy risk assessment

Related template

Open

Connect vendor review to data categories, subprocessors, retention, DPA or BAA status, and high-risk processing.

AI vendor and MCP evidence

Related template

Open

For AI vendors, record agent identity, tool permissions, prompt injection controls, audit logs, and gateway boundaries.

Vendor risk assessment FAQ

Short answers for teams deciding how this template fits supplier review.

What is a vendor risk assessment template?

A vendor risk assessment template is a structured worksheet used to collect supplier details, data access, security controls, privacy evidence, risk score, mitigation owner, and approval decision.

Who should use this vendor risk assessment template?

GRC, procurement, security, privacy, legal, IT, and business owners can use it before approving a new vendor, renewing a supplier, or responding to customer due diligence.

Is vendor risk assessment the same as a vendor security questionnaire?

They overlap, but they are not identical. A questionnaire collects answers and evidence from the supplier; the risk assessment scores the supplier, records decisions, and tracks mitigation.

Should AI vendors get extra review?

Yes. AI vendors may need extra review for customer-data use, model providers, automated decisions, agent tool access, prompt injection controls, logs, and human review paths.

Is this template legal or compliance advice?

No. It is a practical starting point for organizing vendor risk information. Legal, privacy, security, or compliance owners should review obligations for regulated workflows.

Need a shortlist for your workflow?

Send the formats you receive, your current answer-library setup, and whether you need portal support. We will use those signals to prioritize the next comparison updates.

Request a shortlist