Vendor Security Checker

    Assess supplier security before it becomes your audit problem.

    Check vendor risk based on data access, service criticality, certifications, contracts, and security evidence - in line with ISO 27001:2022 supplier controls.

    What you capture for each supplier

    A supplier risk decision is only as good as the facts behind it. These inputs cover the questions an auditor will expect you to have already answered.

    Supplier name
    Legal entity and trading name
    Service provided
    What the supplier actually delivers
    Data processed
    Personal data, financial data, IP, none
    Access level
    No access, read-only, admin, production
    Business criticality
    Low, medium, high, critical to operations
    Certifications
    ISO 27001, SOC 2, ISO 27017/27018
    Contract / security clauses
    DPA, security schedule, breach notice
    Incident history
    Known breaches or service incidents
    Subprocessors
    Onward processors and their locations

    Sample supplier risk output

    Each assessment returns a risk level, the reasoning behind it, and the evidence required to bring residual risk down to an acceptable level.

    Supplier risk: High
    Reason

    Processes customer personal data and has production system access.

    Required evidence
    • ISO 27001 certificate or equivalent independent assurance (SOC 2 Type II)
    • Signed data processing agreement covering scope, purpose, and retention
    • Incident notification clause with defined timelines
    • Access control evidence (MFA, least-privilege, joiner/mover/leaver)
    • Completed security questionnaire (CAIQ, SIG, or internal)
    • Penetration test summary or vulnerability management evidence, where appropriate

    How this maps to ISO 27001:2022

    The checker is structured around the Annex A controls auditors actually sample when they look at your supplier programme.

    A.5.19Information security in supplier relationships

    Identify and document risks before onboarding a supplier with access to information or systems.

    A.5.20Addressing security within supplier agreements

    Confirm relevant security requirements are agreed in writing and proportional to risk.

    A.5.22Monitoring, review and change management of supplier services

    Maintain ongoing oversight of supplier security, not just at onboarding.

    A.5.21Managing information security in the ICT supply chain

    Consider subprocessors and upstream dependencies, not only the direct supplier.

    The Vendor Security Checker supports your supplier due-diligence process. It does not replace contractual review by legal counsel, a full third-party audit, or your certification body's assessment of the supplier programme.

    Supplier risk questions

    Check a vendor

    Capture the facts, get a risk rating, and produce an evidence checklist your auditor will recognise.

    Check a vendor