Back to Resources
Vendor Risk Management
Vendor Due Diligence Policy
Establishes a structured framework to evaluate, approve, and monitor the security posture of third-party vendors and SaaS providers.
Implementation Guide
A Vendor Due Diligence Policy controls supply chain security risks. By classifying vendors into tier-based categories (based on their access to data and systems) and requiring audits (such as SOC 2 reviews or security questionnaires), this policy protects your brand from third-party security vulnerabilities.
Who is this for?
This template is intended for procurement teams, financial directors, operations managers, and compliance officers who need to standardize vendor risk evaluations and meet audit expectations.
How to use this template:
- Define the parameters for vendor risk classification (Critical, High, Medium, Low).
- Establish a list of mandatory deliverables (e.g., SOC 2 Type II reports, NDAs) for each tier.
- Integrate vendor reviews into your procurement and contract renewal lifecycles.
Template Preview
# VENDOR DUE DILIGENCE & RISK MANAGEMENT POLICY
**Document Reference:** [Company Name] - POL-SEC-04
**Version:** 1.0
**Effective Date:** [Date]
**Review Cycle:** Annual
---
## 1. PURPOSE & SCOPE
The purpose of this policy is to establish a structured, audit-ready framework for evaluating, onboarding, and monitoring the cybersecurity posture of third-party vendors, suppliers, SaaS providers, and contractors.
This policy applies to all prospective and active third-party relationships contracted by **[Company Name]** that involve access to company systems, networks, confidential databases, or personal identifiable information (PII).
---
## 2. VENDOR RISK CLASSIFICATION MATRIX
Prior to contracting, the procurement manager and the Security Coordinator will classify the third party into one of four risk tiers:
* **Tier 1 (Critical Risk):** Vendors who access or store sensitive customer PII, financial accounts, or intellectual property, or whose service interruption would halt core business operations (e.g., core cloud hosting, email hosting, managed service providers).
* **Tier 2 (High Risk):** Vendors who access internal systems or confidential data, but are not critical to daily business survival (e.g., marketing CRMs, legal document platforms, HR platforms).
* **Tier 3 (Medium Risk):** Vendors who have limited access to company assets or support functions (e.g., office equipment suppliers, facility management, minor SaaS integrations).
* **Tier 4 (Low Risk):** Vendors with no network or data access (e.g., office supplies, catering services).
---
## 3. DUE DILIGENCE REQUIREMENTS
Before signing a contract or starting services, vendors must submit the following credentials based on their assigned risk tier:
* **Tier 1 (Critical):**
* Current SOC 2 Type II report (renewed annually) or ISO 27001 certificate.
* Signed Non-Disclosure Agreement (NDA).
* Comprehensive Security Questionnaire responses.
* Business Continuity and Disaster Recovery (BC/DR) summaries.
* Evidence of cyber insurance coverage of at least **[Amount, e.g., $2,000,000]**.
* **Tier 2 (High):**
* Current SOC 2 Type I or Type II report, or security self-attestation.
* Signed Non-Disclosure Agreement (NDA).
* Proof of cyber insurance coverage of at least **[Amount, e.g., $1,000,000]**.
* **Tier 3 (Medium):**
* Signed Non-Disclosure Agreement (NDA).
* Completed basic security questionnaire.
* **Tier 4 (Low):**
* Standard service level agreement (SLA) or purchase order review.
---
## 4. PROCUREMENT & APPROVAL WORKFLOW
1. **Intake Form:** Business sponsor submits a vendor request outlining data/system access requirements.
2. **Classification & Request:** Security Coordinator classifies the vendor and requests the required due diligence documents.
3. **Assessment:** Security Coordinator reviews the vendor's security reports and flags any exceptions (e.g., lack of MFA, missing encryption).
4. **Sign-off:**
* Tier 1 & 2 vendors require formal sign-off from the Security Coordinator and Executive Management before procurement initiates contract signatures.
* Tier 3 & 4 vendors require standard department head approval.
---
## 5. CONTRACTUAL SECURITY MANDATES
All vendor contracts involving Tier 1 or Tier 2 services must include clauses requiring:
* **Breach Notification:** Mandatory notification to **[Company Name]** within **[Number, e.g., 24 or 48]** hours of a suspected or confirmed security breach.
* **Right to Audit:** The right for **[Company Name]** or its representatives to audit the vendor's security controls or request updated SOC 2 reports annually.
* **Data Return/Destruction:** Mandatory return or secure destruction of all corporate data upon contract termination, with certificate of destruction provided.
---
## 6. ONGOING MONITORING & RENEWALS
* **Annual Reviews:** Tier 1 and Tier 2 vendors must be re-evaluated annually. Procurement will request updated SOC 2 reports and review security questionnaires.
* **Performance Logs:** Any vendor service interruptions, breach reports, or security issues must be logged. Repeated failures will trigger a formal vendor exit review.
Need a custom security program?
We write framework-aligned corporate WISPs and custom playbooks tailored to your team.