Vendor Security Assessment Template: A Complete Framework (Free Download)

The majority of significant data breaches now involve a third party. The SolarWinds compromise. The MOVEit vulnerability. The Change Healthcare attack. In each case, the entry point was not the victim organisation itself. It was a supplier, a software provider, or a service they relied on.

Yet despite this well-documented threat pattern, most organisations assess their vendors' security posture with a process that would be recognisable to a security manager from 2005: a spreadsheet questionnaire, sent by email, completed manually, filed away, and rarely revisited until the next annual assessment cycle.

This guide provides a complete vendor security assessment framework, grounded in ISO 27001 and NIST CSF, covering seven control domains, along with a downloadable template your team can use immediately.

Why Traditional Vendor Assessments Fail

Before the template, it is worth understanding why the standard approach to vendor risk assessment consistently produces poor outcomes. There are three structural problems:

1. Point-in-Time Assessment of a Dynamic Risk

A vendor security questionnaire completed in January reflects the vendor's security posture in January. If the vendor suffers a breach in February, loses their CISO in March, or deprecates a key security control in April, none of that appears in your January assessment. You are managing risk based on stale data, potentially for 11 months of the year.

2. Self-Reported Data with No Verification

Traditional questionnaires ask vendors to self-certify their security controls. There is no verification mechanism. A vendor that answers "yes" to "Do you encrypt data at rest?" may be telling the truth, may be misunderstanding the question, or may simply be optimising their response for the outcome they want. Without external validation (scanning the vendor's external attack surface, checking for dark web exposure, reviewing their SSL configuration) self-reported data is of limited value.

3. Assessment Coverage vs. Operational Coverage

Annual assessments cover perhaps 20-30% of a typical organisation's vendor base, the highest-tier, most critical suppliers. The remaining 70-80% of vendors, the ones that access your systems, process your data, or run integrations with your infrastructure, are assessed rarely or never. This coverage gap is where most third-party incidents originate.

A Better Framework: The Seven Control Domains

A robust vendor security assessment covers seven control domains. For each domain, we provide the key questions to ask, the evidence to request, and the ISO 27001 and NIST CSF mapping.

Domain 1: Information Security Governance

ISO 27001: Clause 5 (Leadership) / NIST CSF: GV.OC, GV.RM

This domain assesses whether the vendor has the organisational structures and leadership commitment to manage security effectively.

Key questions:

• Does the vendor have a named CISO or equivalent senior security leader?
• Does the vendor have a documented information security policy, approved by leadership, reviewed within the past 12 months?
• Is security risk reported to board level on a regular basis?
• Does the vendor maintain an ISO 27001 certification? (Request current certificate)
• Has the vendor completed a SOC 2 Type II audit within the past 12 months? (Request the report)

Evidence to request: ISMS policy document, ISO 27001 certificate, SOC 2 Type II report, security risk register excerpt

Domain 2: Data Handling and Classification

ISO 27001: Annex A.8 / NIST CSF: ID.AM, PR.DS

This domain assesses whether the vendor understands what data they handle on your behalf, how they classify it, and what controls protect it.

Key questions:

• What data belonging to our organisation does the vendor process, store, or transmit?
• Does the vendor have a documented data classification policy? How is our data classified under it?
• Is data encrypted at rest? What algorithm and key length?
• Is data encrypted in transit? Does the vendor enforce TLS 1.2 minimum?
• Where is our data stored geographically? Does storage location comply with our data residency requirements?
• What is the vendor's data retention and disposal policy?

Evidence to request: Data flow diagram, data classification policy, encryption configuration documentation, data processing agreement

Domain 3: Access Control and Identity Management

ISO 27001: Annex A.5, A.8 / NIST CSF: PR.AA

This domain assesses whether the vendor controls who can access your data and their own systems effectively.

Key questions:

• Does the vendor enforce multi-factor authentication for all employees with access to customer data?
• Does the vendor apply the principle of least privilege, i.e., are employees only granted access they need for their role?
• How quickly does the vendor revoke access when an employee leaves? Is there evidence of a joiner/mover/leaver process?
• Does the vendor conduct periodic access reviews? How frequently?
• Are privileged accounts (admin, root) separately controlled with enhanced monitoring?

Evidence to request: Access control policy, MFA configuration screenshot, access review process documentation, privileged access management policy

Domain 4: Vulnerability Management and Patching

ISO 27001: Annex A.8 / NIST CSF: ID.RA, PR.IP

This domain assesses the vendor's ability to identify and remediate vulnerabilities in the systems that handle your data.

Key questions:

• Does the vendor have a documented vulnerability management programme?
• How frequently does the vendor conduct vulnerability scanning of internet-facing systems?
• What are the vendor's patching SLAs by severity (critical, high, medium, low)?
• Does the vendor conduct regular penetration testing? How frequently? By whom?
• How does the vendor manage vulnerabilities in third-party software components (SCA)?

Evidence to request: Vulnerability management policy, most recent penetration test executive summary, patch management SLA documentation, CVE response history (last 12 months)

Domain 5: Incident Response and Business Continuity

ISO 27001: Annex A.5, Clause 8 / NIST CSF: RS, RC

This domain assesses the vendor's readiness to detect, respond to, and recover from security incidents, and their obligations to notify you.

Key questions:

• Does the vendor have a documented incident response plan?
• What is the vendor's obligation to notify us in the event of a security incident affecting our data? What is the notification timeline?
• Has the vendor experienced any security incidents in the past 24 months? Were they disclosed to affected customers?
• Does the vendor conduct tabletop exercises or incident response simulations? How frequently?
• What is the vendor's Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for critical systems?

Evidence to request: Incident response plan, notification clause in contract/DPA, incident history disclosure, business continuity plan, BCP test results

Domain 6: Supply Chain and Subprocessors

ISO 27001: Annex A.5 / NIST CSF: GV.SC, ID.SC

This domain assesses whether the vendor extends adequate security requirements to their own suppliers, who may have access to your data.

Key questions:

• Does the vendor use any subprocessors who will have access to our data? (Request a complete list)
• How does the vendor assess the security posture of their own subprocessors?
• Are security requirements flowed down contractually to all subprocessors?
• How does the vendor notify us of changes to their subprocessor list?
• Has any subprocessor experienced a security incident affecting vendor operations in the past 24 months?

Evidence to request: Subprocessor list, supplier security policy, subprocessor assessment evidence, contractual flow-down clauses

Domain 7: Physical Security and Environmental Controls

ISO 27001: Annex A.7 / NIST CSF: PR.AA

This domain is often overlooked but remains relevant, particularly for vendors who host infrastructure or have physical access to your data.

Key questions:

• Where are the vendor's primary data centres located? Are they owned or co-located?
• What physical access controls are in place at data processing locations?
• Are data centres certified to relevant standards (ISO 27001, SOC 2, Tier 3/4)?
• How are decommissioned storage media handled? Is there evidence of secure disposal?

Evidence to request: Data centre certifications, physical security policy, media disposal policy and process

Scoring and Risk Rating

A vendor assessment is only as useful as the risk rating it produces. We recommend a simple three-tier scoring approach:

Beyond the Questionnaire: Continuous Vendor Monitoring

The questionnaire framework above addresses the self-reported dimension of vendor risk. But as noted at the start, self-reported data has limitations. Continuous external monitoring of your vendors' attack surfaces closes the verification gap:

• External vulnerability scanning: are your vendors' internet-facing systems patched? Are there obvious exposures that contradict their questionnaire responses?
• Dark web monitoring: have your vendors' credentials appeared in breach dumps? Is there evidence of an unreported incident?
• Certificate and configuration monitoring: are the vendors' SSL certificates current? Are their systems configured securely?

This combination of structured periodic assessment plus continuous external monitoring is the foundation of a mature third-party risk management programme.

The Bottom Line

Third-party risk is not a new problem. But the combination of increasing supply chain interconnection and increasingly sophisticated attacks targeting that interconnection makes it more urgent than it has ever been. The organisations that suffer supply chain incidents in the next two years will largely be the ones that treated vendor security assessment as an annual compliance exercise rather than a continuous risk management programme.

The template in this guide is a starting point. The goal is a programme: structured assessment, continuous monitoring, clear escalation paths, and vendor risk that is visible to leadership, not buried in a spreadsheet that was last updated 11 months ago.

Frequently Asked Questions

How often should vendor security assessments be conducted?

Critical vendors (those with access to sensitive data or direct system integrations) should be assessed at least annually with structured questionnaires, supplemented by continuous external monitoring of their attack surface. Medium-risk vendors should be assessed every 12-18 months. The annual questionnaire provides the self-reported baseline, while continuous monitoring fills the 11-month gap between assessments with real-time visibility into changes in the vendor's security posture.

What should a vendor security assessment include?

A thorough assessment covers seven control domains: information security governance, data handling and classification, access control and identity management, vulnerability management and patching, incident response and business continuity, supply chain and subprocessor management, and physical security. For each domain, the assessment should include specific questions, requested evidence (not just self-certification), and scoring against a defined risk rating framework mapped to ISO 27001 and NIST CSF.

How does continuous vendor monitoring compare to annual questionnaires?

Annual questionnaires capture a vendor's self-reported security posture on a single day, with no verification and no visibility into changes until the next assessment. Continuous external monitoring scans the vendor's internet-facing systems for vulnerabilities, checks dark web sources for leaked credentials, and monitors SSL certificate and configuration status in real time. The combination of both is what a mature programme requires: questionnaires for self-reported controls and evidence, continuous monitoring for independent verification and real-time change detection.