# Vendor Risk Assessment Template

Use this worksheet to review a supplier, SaaS vendor, AI vendor, data processor, or service provider before onboarding, renewal, or risk acceptance.

This is a practical starting point, not legal or compliance advice.

## Assessment Fields

| Field | Notes |
|---|---|
| Vendor name | Supplier, SaaS tool, service provider, AI platform, consultant, or data processor under review. |
| Service or product | What the vendor provides and which workflow depends on it. |
| Business owner | Internal owner accountable for vendor use, renewal, and mitigation. |
| Vendor owner | Supplier contact for security, privacy, compliance, or account questions. |
| Assessment type | New vendor review, renewal review, regulated data review, AI vendor review, or exception review. |
| Data access | Public data, business data, confidential data, personal data, PHI, credentials, or customer content. |
| Business criticality | Low, medium, high, or mission-critical. |
| Access level | No access, limited read, broad read/write, admin, credential, or production access. |
| Compliance exposure | Internal policy, customer commitments, regulated obligations, or contractual requirements. |
| AI or automation use | Whether AI, agents, automated decisions, model providers, or tool access are involved. |
| Security evidence | SOC 2, ISO 27001, CAIQ, SIG, penetration test summary, policies, access controls, audit logs. |
| Privacy evidence | DPA, BAA, subprocessors, retention, deletion, data location, privacy review, opt-out path. |
| Risk score | Total of the scoring factors below. |
| Risk tier | Low, medium, high, or critical. |
| Decision | Approve, approve with mitigation, escalate, block, or revisit. |
| Mitigation owner | Person accountable for closing gaps. |
| Review date | Date for renewal, evidence refresh, or risk reassessment. |

## Scoring Model

Score each factor from 0 to 3.

| Factor | 0 | 1 | 2 | 3 |
|---|---|---|---|---|
| Data sensitivity | No sensitive data | Business data | Personal or confidential data | Regulated or high-impact data |
| System criticality | Optional | Team workflow | Customer-facing or revenue workflow | Mission-critical operations |
| Access level | No access | Limited read-only access | Broad read/write access | Admin, credential, or production access |
| Compliance exposure | None | Internal policy | Customer commitments | Regulated or contractual obligations |
| AI and automation | None | Internal AI only | AI processes customer data | Agent/tool access or automated high-impact decisions |
| Evidence quality | Strong current evidence | Partial evidence | Stale evidence | Missing or unverifiable evidence |

## Risk Bands

| Total score | Tier | Suggested action |
|---|---|---|
| 0-4 | Low | Approve with standard owner review and renewal tracking. |
| 5-8 | Medium | Request core evidence and document open risks before approval. |
| 9-13 | High | Require security, privacy, and business-owner approval before use. |
| 14-18 | Critical | Escalate to formal risk acceptance, mitigation plan, or block until gaps are closed. |

## Supplier Questions

- What customer, employee, patient, or business data will the vendor access?
- What security evidence can the vendor provide?
- Which subprocessors or fourth parties are involved?
- How are access, authentication, and privileged actions controlled?
- How does the vendor handle incidents and breach notification?
- Does the vendor use AI, agents, model providers, or automated decisioning?

## Evidence To Request

- SOC 2 report or ISO 27001 certificate
- Security whitepaper or security policy
- Penetration test summary
- Access control and audit logging evidence
- Incident response and breach notification process
- DPA, BAA, privacy policy, retention policy, and subprocessor list
- AI data-use terms, model provider list, human review controls, and audit logs