Vendor security assessmentchecklist
A vendor security assessment checks that a supplier protects your data well enough to be trusted with it. A good checklist works in two directions: it tells the buyer what to request and verify before onboarding, and it tells the vendor what to have ready so the review does not stall. The areas below cover what most assessments examine.
Before you start: scope the risk
Not every vendor needs the same depth of review. Tier the assessment to the risk: a vendor that processes sensitive customer data or connects into your systems deserves far more scrutiny than a low-risk tool with no access. Decide up front what data the vendor will touch, how critical they are to your operations, and therefore how deep to go. That keeps the review proportionate and stops low-risk suppliers from being held to enterprise-grade demands they do not warrant.
Governance and compliance
- A current SOC 2 report or ISO 27001 certificate, and confirmation of what it actually covers.
- Published security and data-protection policies, with a named owner.
- A data processing agreement (DPA) covering GDPR or UK GDPR obligations where relevant.
- A list of sub-processors and the fourth-party dependencies behind the service.
- Evidence of regular internal review, not a policy written once and never revisited.
Access control and authentication
- Single sign-on (SSO) and enforced multi-factor authentication for privileged accounts.
- Role-based access with least-privilege, and a process to remove access when people leave.
- Logging of administrative actions, so access can be reviewed after the fact.
- Segregation between their customers, so one tenant cannot reach another's data.
Data protection
- Encryption of data in transit and at rest, with a clear statement of where it is held.
- The locations (and legal regions) where your data is stored and processed.
- Data retention and deletion: how long they keep it and how it is destroyed on exit.
- Backup arrangements, and confirmation that backups are themselves protected.
Operational security and resilience
- A documented incident response plan and a breach-notification commitment with a timeframe.
- Vulnerability management: patching cadence and regular penetration testing, with a recent summary available.
- Business continuity and disaster recovery plans, ideally tested rather than just written.
- Security monitoring and alerting, so issues are detected rather than discovered by customers.
How to run the assessment
- 1Send a questionnaire sized to the vendor's risk tier (a short one for low risk, SIG or CAIQ for high).
- 2Request evidence alongside the answers: a questionnaire on its own is only a set of assertions.
- 3Reconcile the two: check that what they claim matches what the SOC 2 report or certificate actually says.
- 4Flag gaps and weakly-supported answers, and decide whether they are acceptable, need remediation, or are a deal-breaker.
- 5Put the agreed controls into the contract, including the DPA and breach-notification terms.
- 6Set a reassessment date based on the risk tier, rather than treating onboarding as a one-time check.
If you are the vendor being assessed
The same checklist is your preparation list. Buyers move faster on vendors who can answer consistently and attach evidence on request, so keep your policies, your SOC 2 or ISO documentation, and your approved answers together in one knowledge base. When the questionnaire arrives, you then reuse vetted answers and attach the backing evidence instead of rewriting your security story under deadline. Drafting from your own approved sources, and verifying each answer before it goes out, is what keeps the responses both fast and defensible.
Frequently asked questions
What should a vendor security assessment include?
At minimum it should cover governance and compliance (such as SOC 2 or ISO 27001 and a DPA), access control and authentication, data protection and encryption, and operational resilience like incident response, penetration testing, and business continuity. The depth should match the data the vendor handles and how critical they are.
Is a SOC 2 report enough to skip the questionnaire?
Often it shortcuts a lot of it, but not always all of it. A current SOC 2 report or ISO 27001 certificate answers many questions about a vendor's security programme, yet buyers commonly still send a short questionnaire to confirm scope and cover anything the report does not address. Treat the report as strong evidence, not an automatic pass.
How often should you reassess a vendor?
On a risk-based schedule. Critical vendors and any handling sensitive data are commonly reassessed annually, lower-risk vendors less often, and all of them after a material change such as a breach, an acquisition, or a significant change to the service.
Do this in a fraction of the time
Diligio centralises your approved answers, drafts each response grounded in your sources, and independently verifies it before you review. RFPs, DDQs, and security questionnaires, answered from one knowledge base.