Assess supplier security before it becomes your audit problem.
Check vendor risk based on data access, service criticality, certifications, contracts, and security evidence - in line with ISO 27001:2022 supplier controls.
What you capture for each supplier
A supplier risk decision is only as good as the facts behind it. These inputs cover the questions an auditor will expect you to have already answered.
Sample supplier risk output
Each assessment returns a risk level, the reasoning behind it, and the evidence required to bring residual risk down to an acceptable level.
Processes customer personal data and has production system access.
- ISO 27001 certificate or equivalent independent assurance (SOC 2 Type II)
- Signed data processing agreement covering scope, purpose, and retention
- Incident notification clause with defined timelines
- Access control evidence (MFA, least-privilege, joiner/mover/leaver)
- Completed security questionnaire (CAIQ, SIG, or internal)
- Penetration test summary or vulnerability management evidence, where appropriate
How this maps to ISO 27001:2022
The checker is structured around the Annex A controls auditors actually sample when they look at your supplier programme.
Identify and document risks before onboarding a supplier with access to information or systems.
Confirm relevant security requirements are agreed in writing and proportional to risk.
Maintain ongoing oversight of supplier security, not just at onboarding.
Consider subprocessors and upstream dependencies, not only the direct supplier.
The Vendor Security Checker supports your supplier due-diligence process. It does not replace contractual review by legal counsel, a full third-party audit, or your certification body's assessment of the supplier programme.
Supplier risk questions
Check a vendor
Capture the facts, get a risk rating, and produce an evidence checklist your auditor will recognise.
Check a vendor