Vendor Risk Management Checklist: Third-party Security, Privacy, and Contract Controls
Quick answer
Vendor risk management is a repeatable way to stop third-party issues from becoming incidents. Check security controls, privacy duties, breach notification terms, and evidence like SOC reports before contract signature. Re-assess on a set cadence and after major changes like acquisitions or system moves.
What is a vendor risk management checklist?
A vendor risk management checklist is a repeatable set of checks you run before contract signature and during the vendor lifecycle. It covers third-party security, privacy obligations, and contract terms that reduce the chance of a breach, outage, or compliance issue.
Sources: [S1], External: NIST CSF, NIST SP 800-53
Internal support: cybersecurity and data privacy, regulatory compliance, data privacy consulting.
Common searches and templates
Teams often look for one of these variants: vendor due diligence checklist pdf, vendor due diligence checklist template, third party security assessment checklist, vendor assessment checklist, IT due diligence checklist, AI vendor due diligence checklist, vendor risk management checklist template, vendor risk management checklist excel, vendor risk assessment checklist xls, third party risk assessment checklist xls, vendor risk management checklist pdf, free vendor risk management checklist, and vendor risk management checklist github.
A simple vendor due diligence workflow
Use one workflow for both procurement and renewals. The goal is fast, consistent decisions with clear owners.
- Intake: what data the vendor touches, what systems it connects to, and what services it provides.
- Tiering: assign a risk tier based on data sensitivity and operational criticality.
- Security review: controls plus evidence (not only attestations).
- Privacy review: DPA terms, sub-processors, and breach notification.
- Contract controls: service levels, audit rights, incident response duties, and termination support.
- Decision: approve, approve with conditions, or reject.
- Re-assess: on cadence and after material changes.
Sources: [S1], [S2], External: NIST SP 800-161
Risk tiering and scope
Tiering prevents “one questionnaire for everything.” Use tiering to decide how deep the review goes and what evidence is required.
| Tier | When to use it | Minimum checks | Evidence examples |
|---|---|---|---|
| Low | No sensitive data, low operational impact | Basic security questionnaire, basic privacy check | Policy excerpts, limited architecture overview |
| Medium | Business data or internal integrations | Security controls review, DPA checklist, contract controls | SOC 2 report or equivalent, pen test summary |
| High | PII, regulated data, or mission-critical service | Deep security review, SOC 2 review checklist, incident response review, ongoing monitoring | SOC 2 Type II, IR plan, vulnerability management evidence |
Third party security assessment checklist
This third party security assessment checklist focuses on controls that most often reduce real incidents: access, logging, patching, backup, and incident response.
Third party security assessment checklist (copy/paste)
Identity and access
- SSO supported and enforced for admin users
- MFA required for privileged access
- Role-based access control and least privilege
- Joiner-mover-leaver process and access reviews
Security operations
- Central logging with retention and alerting
- Vulnerability management: scanning cadence and patch SLAs
- Secure SDLC and change control for production releases
- Backup and recovery: RPO/RTO and restore testing
Data protection
- Encryption in transit and at rest
- Key management approach and rotation
- Data segregation for multi-tenant services
Incident response
- Written incident response plan
- Breach notification timelines and contacts
- Post-incident reporting and root cause actions
Business continuity
- BCP/DR tested on a schedule
- Availability targets and status communications
Sources: [S3], External: NIST SP 800-53, ISO 27001
Security questionnaire: what to ask
If you use a security questionnaire, keep it role-based and evidence-based. Ask for the control, the owner, the cadence, and the proof.
Security questionnaire (starter questions)
Access control
1) Do you enforce MFA for privileged access?
2) Do you support SSO for customer tenants?
3) How often do you review privileged roles?
Vulnerability management
4) What is your vulnerability scanning cadence?
5) What are your patch time targets for critical issues?
6) Do you run penetration tests? If yes, how often and by whom?
Logging and monitoring
7) What logs are collected and how long are they retained?
8) Do you have 24x7 alerting for critical events?
Data protection
9) Is data encrypted in transit and at rest?
10) How are encryption keys stored and rotated?
Incident response
11) What is your breach notification timeline and process?
12) Who is the incident commander contact for customers?
Resilience
13) What are your stated availability targets?
14) What are your RPO and RTO commitments and test cadence?
Sources: [S3], [S6], External: Shared Assessments, NIST CSF
Privacy vendor assessment and DPA checklist
A privacy vendor assessment checks whether the vendor’s processing aligns with your duties. The DPA checklist should be reviewed before signature, not after an incident.
Data processing addendum checklist (copy/paste)
Scope and purpose
- Processing purpose and instructions are defined
- Data categories and data subjects are defined
- Data location and transfer mechanisms are documented (if applicable)
Security and confidentiality
- Security measures are described in the agreement or an attached exhibit
- Confidentiality duties apply to personnel and contractors
Sub-processors
- Sub-processor list available and change notification defined
- Right to object or receive notice for material sub-processor changes
Breach and incident terms
- Breach notification timeline and required details
- Cooperation duties for investigation and notices
Data lifecycle
- Retention and deletion terms
- Return or destruction terms at termination
Audit and assurance
- Audit rights or assurance alternatives (such as SOC reports)
- Customer responsibilities are clearly stated (shared responsibility)
Assistance
- Support for data subject requests (if applicable)
- Support for DPIAs or regulator inquiries (if applicable)
Sources: [S4], External: GDPR, UK ICO
Internal support: what a data privacy consultant does, data privacy consulting for operational compliance.
SOC 2 review checklist
SOC 2 reports are useful only if you confirm scope, period, exceptions, and what controls you must operate. Use this SOC 2 review checklist to avoid false confidence.
SOC 2 review checklist (copy/paste)
1) Report type and period
- SOC 2 Type I or Type II
- Coverage period matches your risk window
2) Scope
- Services and systems in scope match what you are buying
- Subservice organizations are listed and treatment method is clear
3) Trust Services Criteria
- Confirm which criteria are covered (security is common; availability, confidentiality, processing integrity, privacy vary)
4) Exceptions and findings
- List exceptions and map them to your use case
- Validate remediation dates and evidence
5) Complementary user entity controls
- Identify controls your organization must run
- Assign owners and due dates internally
6) Bridging letter or gap coverage (if needed)
- Ask for coverage from the report end date to today
7) Contract tie-in
- Ensure security commitments in contract align with report scope
Contract controls that reduce incidents
Contract controls matter because they define response speed, evidence access, and accountability.
| Control | Why it matters | What to include |
|---|---|---|
| Breach notification | Reduces time to respond | Timeline, content requirements, contacts, cooperation duties |
| Security duties | Sets minimum expectations | Security exhibit, audit approach, change notification |
| Sub-processors | Controls supply chain risk | Disclosure, notification, rights on material changes |
| Service levels | Reduces operational risk | Availability target, credits, status communications |
| Termination support | Reduces lock-in | Data export, deletion proof, transition services options |
IT due diligence checklist
This IT due diligence checklist is useful for high-impact vendors and for major changes like migrations, acquisitions, or new integrations.
IT due diligence checklist (copy/paste)
Architecture and integrations
- Data flows diagram and integration points
- Authentication and authorization approach
- Network segmentation and tenant isolation
Operations
- Change management and release process
- Monitoring coverage and on-call model
- Backup and restore testing evidence
Security and privacy
- Vulnerability management evidence
- Access review evidence for privileged accounts
- Data retention and deletion process
Compliance and assurance
- SOC 2 or equivalent assurance approach
- Policy set (security, incident response, BCP/DR)
Exit and portability
- Data export format and timing
- Deletion and destruction confirmation
Sources: [S2], External: NIST SP 800-161
AI vendor due diligence checklist
If the vendor uses GenAI or provides AI features, add checks for data use, retention, and safety testing. Do not rely on marketing claims. Require clear answers and evidence.
AI vendor due diligence checklist (copy/paste)
Data use and retention
- Is customer data used to train or fine-tune models?
- What is the default retention period for prompts and outputs?
- Can you opt out of training and set retention to a defined period?
Access and controls
- Role-based access to prompts, outputs, and logs
- Admin audit logs and export capability
Safety and testing
- Documented red-teaming or adversarial testing
- Controls for prompt injection and data leakage
- Human review options for high-risk workflows
Compliance and transparency
- Model and data lineage disclosures (what was trained on, at a high level)
- Incident response for model or data issues
Contract and assurance
- Contract terms for training opt-out, deletion, and breach notice
- Assurance approach (SOC, security testing, or equivalent evidence)
Sources: [S7], External: OWASP LLM Top 10, NIST AI RMF
Ongoing monitoring and re-assessment cadence
Vendor risk management is not only onboarding. Re-assess vendors on a cadence and after material changes.
- Annual: high-risk vendors, vendors processing sensitive data, and mission-critical services.
- Every 2 years: medium-risk vendors.
- Event-based: security incident, major product change, new sub-processor, new data type, acquisition, or system migration.
Sources: [S1], External: NIST CSF
Internal support: risk management, what a risk management consultant does.
Templates: Excel, XLS, PDF, GitHub-ready
Use these templates for vendor risk management checklist excel, vendor risk assessment checklist xls, vendor due diligence checklist pdf, and vendor risk management checklist github.
Vendor risk management checklist template (Excel columns)
Vendor,Service,Data types,Integrations,Risk tier,Security review status,Privacy review status,DPA required (Y/N),SOC 2 available (Y/N),Key exceptions,Contract controls status,Owner,Decision (Approve/Conditions/Reject),Re-assessment date,Notes
Third party risk assessment checklist xls (tabs)
Tab 1: Intake and tiering
Tab 2: Third party security assessment checklist
Tab 3: Privacy vendor assessment and DPA checklist
Tab 4: SOC 2 review checklist
Tab 5: Contract controls and approvals
Tab 6: Re-assessment cadence and change events
Vendor due diligence checklist pdf (pack outline)
1) One-page summary: vendor, service, data, tier, decision
2) Security review: key controls plus evidence list
3) Privacy review: DPA checklist items and decisions
4) SOC 2 review: scope, exceptions, user entity controls
5) Contract controls: breach notice, audit approach, sub-processors, SLAs
6) Conditions to approve: owners and due dates
Vendor risk management checklist github (issue template text)
Title: Vendor due diligence - [Vendor Name]
Summary
- Service:
- Data types:
- Integrations:
- Risk tier:
Security
- Third party security assessment checklist completed: [Yes/No]
- Evidence received (SOC 2, pen test summary, policies): [List]
- Key exceptions: [List]
Privacy
- DPA required: [Yes/No]
- Sub-processors reviewed: [Yes/No]
- Breach notification term confirmed: [Yes/No]
- Data retention and deletion confirmed: [Yes/No]
Contract controls
- SLAs and support terms confirmed: [Yes/No]
- Audit or assurance approach confirmed: [Yes/No]
- Termination support and data export confirmed: [Yes/No]
Decision
- Approve / Approve with conditions / Reject:
- Conditions (owner and due date): [List]
- Next re-assessment date:
Want a vendor risk management checklist tailored to your data, systems, and contract standards?
Contact NMS Consulting.
FAQ
What is a vendor risk management checklist?
A vendor risk management checklist is a repeatable set of security, privacy, and contract checks used before signing and during the vendor lifecycle to reduce third-party incidents and compliance risk.
What is a third party risk management checklist?
A third party risk management checklist covers onboarding, tiering, evidence review (such as SOC reports), contract controls, ongoing monitoring, and re-assessment.
What is included in a third party security assessment checklist?
At minimum: identity and access controls, vulnerability management, logging and monitoring, encryption, incident response, and resilience testing.
What is a SOC 2 review checklist?
A SOC 2 review checklist validates scope, period, criteria covered, exceptions, and complementary user entity controls your organization must operate.
What should a data processing addendum checklist include?
A DPA checklist should cover purpose, confidentiality, sub-processors, breach notice, audit approach, retention and deletion, and assistance duties.
What should an AI vendor due diligence checklist include?
AI vendor due diligence should cover data use and retention, training or fine-tuning rules, access controls, safety testing, logging, and how the vendor limits prompt injection and sensitive data exposure.
Sources
- S1. National Institute of Standards and Technology (NIST), “Cybersecurity Framework (CSF).” Accessed 2025-12-26. https://www.nist.gov/cyberframework
- S2. NIST, “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST SP 800-161r1)” (PDF). Accessed 2025-12-26. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdf
- S3. NIST, “Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53r5)” (PDF). Accessed 2025-12-26. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
- S4. European Union, “General Data Protection Regulation (GDPR) (EU) 2016/679” (official text). Accessed 2025-12-26. https://eur-lex.europa.eu/eli/reg/2016/679/oj
- S5. AICPA, “SOC suite of services (System and Organization Controls).” Accessed 2025-12-26. https://www.aicpa-cima.com/resources/landing/system-and-organization-controls-soc-suite-of-services
- S6. Shared Assessments, “Shared Assessments Program” (questionnaires and third-party risk resources). Accessed 2025-12-26. https://sharedassessments.org/
- S7. OWASP, “Top 10 for Large Language Model Applications.” Accessed 2025-12-26. https://owasp.org/www-project-top-10-for-large-language-model-applications/
- S8. NIST, “AI Risk Management Framework (AI RMF).” Accessed 2025-12-26. https://www.nist.gov/itl/ai-risk-management-framework
- S9. ISO, “ISO/IEC 27001 Information security management.” Accessed 2025-12-26. https://www.iso.org/standard/27001
- S10. UK Information Commissioner’s Office (ICO), “Contracts and liabilities between controllers and processors.” Accessed 2025-12-26. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/controllers-and-processors/contracts/
