Vendor risk assessment template
Use this template to assess third-party risk, supplier due diligence, security, privacy, data access, business criticality, AI use, compliance evidence, risk score, mitigation owners, and approval decisions before onboarding or renewal.
What this template gives you
It is designed for teams that need a reusable vendor review artifact, not a long theory page.
Do AI vendors need extra review beyond SOC 2?
Usually yes. The practical gap is not generic security posture. It is whether you can answer what the AI system can access, where data goes, and how risky actions are controlled.
Recommended vendor risk assessment fields
These fields keep supplier review useful for procurement, security, privacy, GRC, and customer due diligence.
Supplier risk assessment scorecard fields
If the search intent is specifically a supplier risk assessment template, treat the worksheet as a scorecard, not only as a vendor intake form. Each row should show who the supplier is, what data or workflow they touch, which risk category applies, what evidence was reviewed, which score was assigned, and who owns mitigation.
Vendor risk scoring model
Score each factor from 0 to 3. The goal is consistent triage, not a formal certification.
0-4: Low
Approve with standard owner review and renewal tracking.
5-8: Medium
Request core evidence and document open risks before approval.
9-13: High
Require security, privacy, and business-owner approval before use.
14-18: Critical
Escalate to formal risk acceptance, mitigation plan, or block until gaps are closed.
Supplier questionnaire starter questions
Use these questions to collect evidence before assigning risk tier or approval status.
AI vendor access review fields
For agentic or AI vendors, add OAuth scopes, token revocation, model-provider, MCP/tool access, and audit evidence before approval.
AI vendor change-control fields
A one-time vendor review is not enough if the model, provider stack, or tool permissions can change after approval. Keep these fields next to the worksheet so procurement and security can re-check the vendor quickly.
AI request boundary evidence
If an AI vendor can take actions, retrieve customer data, or call tools, review the request boundary instead of only asking whether the vendor has SOC 2.
AI coding assistant vendor review checklist
Teams often approve an AI coding assistant and still misunderstand the actual data handling. Use this checklist to capture what matters before rollout.
Checklist
- Confirm what content is sent off-device (open files, diffs, terminal output, telemetry) and how it is minimized.
- Separate training opt-out from retention and human review (prompts, code, logs, evaluation).
- Check where data is processed (region) and which subprocessors are involved.
- Verify admin controls: SSO/MFA, policy toggles, context limits, repo/file exclusions, and safe defaults.
- Confirm auditability: prompt logs, admin actions, policy changes, access logs, and retention settings.
- Document incident response and customer notification for data exposure or misuse scenarios.
- Create an internal safe-use policy for secrets and sensitive data in prompts (and how it is enforced).
Evidence to request
- Vendor technical data-handling documentation (collection, processing locations, retention, deletion).
- DPA + subprocessor list + data residency statement.
- SOC 2 / security whitepaper scope + enterprise admin controls overview.
- Sample audit log schema + retention configuration evidence.
- Internal safe-use guideline and enforcement plan.
Example starter rows
These examples show how to turn vendor intake into risk scenarios and evidence requests.
| Vendor type | Use case | Data access | Risk scenario | Evidence to request |
|---|---|---|---|---|
| Payroll provider | Employee compensation and tax workflow | Employee PII, bank data, tax records | Regulated personal data exposure | SOC 2, DPA, access controls, incident response, subprocessor list |
| AI customer support tool | AI-assisted support triage and answer drafting | Customer contact data, ticket content, account metadata | Sensitive data exposure or incorrect automated routing | AI governance notes, DPA, retention limits, human review, audit logs |
| Cloud analytics tool | Product analytics and event tracking | Usage events, identifiers, device metadata | Unexpected tracking, retention, or vendor reuse | DPA, privacy review, retention policy, opt-out review, access controls |
| Healthcare data processor | Patient portal message processing | ePHI, patient identifiers, authentication logs | Unauthorized access or incomplete HIPAA evidence | BAA, HIPAA controls, access logs, encryption, incident response |
Subprocessor list hygiene
Community discussions show deals slow down when subprocessor lists are missing, hidden, or stale.
What to implement
- Publish a single canonical subprocessor list (trust center, security page, or privacy subpage) that reviewers can link to.
- Show last updated date + owner. Treat missing ownership as a risk signal.
- Trigger updates when you add a new vendor, enable a new integration, or ship a feature that changes data sharing.
- Track upstream changes too: key vendors may add their own subprocessors without your team touching the stack.
- Log change history and keep an exportable list for procurement (name, purpose, data categories, region).
- Review on a cadence (quarterly is common) and keep an exception note when a vendor will not disclose details.
Evidence to keep
- Public subprocessor page link + last updated date
- Internal subprocessor register (name, purpose, data categories, region, owner)
- Subprocessor change notification workflow (customer notice + approvals where applicable)
- Vendor monitoring signal (trust-center RSS/email alerts, renewal checklist, or quarterly review record)
Connect it to security and privacy review
A useful vendor assessment should feed supplier questionnaires, privacy review, and answer-library evidence.
Security questionnaire answers
Reuse approved vendor evidence when customers ask how third parties and suppliers are reviewed.
Privacy risk assessment
Connect vendor review to data categories, subprocessors, DPA, BAA, retention, and high-risk processing.
AI vendor review
Add fields for AI providers, agent tool access, prompt injection controls, audit logs, and MCP gateway boundaries.
Software selection
Compare tools by whether they preserve evidence, owners, risk tier, approval status, and renewal history.
Evidence and source trail
Use recognized sources and internal records to support supplier risk decisions.
NIST SP 800-161 Rev. 1
External sourceNIST guidance supports identifying, assessing, and mitigating cybersecurity supply-chain risks across products and services.
SOC 2 report
Related templateUse SOC 2 evidence to review security controls, control ownership, monitoring, incident response, and audit scope.
Privacy risk assessment
Related templateConnect vendor review to data categories, subprocessors, retention, DPA or BAA status, and high-risk processing.
AI vendor and MCP evidence
Related templateFor AI vendors, record agent identity, tool permissions, prompt injection controls, audit logs, and gateway boundaries.
Vendor risk assessment FAQ
Short answers for teams deciding how this template fits supplier review.
What is a vendor risk assessment template?
A vendor risk assessment template is a structured worksheet used to collect supplier details, data access, security controls, privacy evidence, risk score, mitigation owner, and approval decision.
Who should use this vendor risk assessment template?
GRC, procurement, security, privacy, legal, IT, and business owners can use it before approving a new vendor, renewing a supplier, or responding to customer due diligence.
Is vendor risk assessment the same as a vendor security questionnaire?
They overlap, but they are not identical. A questionnaire collects answers and evidence from the supplier; the risk assessment scores the supplier, records decisions, and tracks mitigation.
Is a supplier risk assessment template different from a vendor risk assessment template?
In practice they usually support the same workflow. Supplier language is common in procurement and supply-chain reviews, while vendor language is common in SaaS, GRC, and security reviews. The worksheet should still capture category, data access, evidence, score, owner, and mitigation.
What should a supplier risk scorecard include?
A supplier risk scorecard should include supplier category, data or workflow touched, risk category, score, evidence reviewed, mitigation owner, approval decision, and next review date.
Can this supplier risk assessment template be used in Excel?
Yes. The CSV version is designed for spreadsheet workflows where teams need sortable supplier categories, score fields, evidence links, owners, and mitigation status.
Should AI vendors get extra review?
Yes. AI vendors may need extra review for customer-data use, model providers, automated decisions, agent tool access, prompt injection controls, logs, and human review paths.
How do you keep an AI vendor review from going stale?
Treat model/provider changes like risk events. Track review owner, last review date, model or subprocessor change notices, evaluation evidence, and emergency disable steps so the worksheet stays usable after the vendor changes behavior.
How do you keep a subprocessor list from going stale?
Give the list an owner and a trigger. Update it when new vendors or integrations are added, monitor key vendors for upstream subprocessor changes, and keep a version log so customers can trust that the list is current.
Is this template legal or compliance advice?
No. It is a practical starting point for organizing vendor risk information. Legal, privacy, security, or compliance owners should review obligations for regulated workflows.
Need a shortlist for your workflow?
Send the formats you receive, your current answer-library setup, and whether you need portal support. We will use those signals to prioritize the next comparison updates.