Overview
Vendor Risk Evaluation is the process of identifying, assessing, and documenting security and compliance risks posed by third-party vendors. It ensures vendor-related risks are evaluated and addressed in accordance with SOC 2 CC3 risk assessment requirements before and during vendor engagement.
Step-by-Step Process
Identify vendor for assessment
The Security Lead identifies a new or existing vendor that requires a risk evaluation based on data access, system integration, or business criticality. This typically occurs during vendor onboarding or annual vendor review. The output is a documented vendor entry queued for risk assessment.
Role: Security Lead
Determine vendor risk tier
The Security Lead classifies the vendor’s inherent risk level (e.g., low, medium, high) based on criteria such as data sensitivity, access type, and service criticality. This determines the depth of assessment required. The output is a recorded vendor risk tier.
Role: Security Lead
Collect vendor security information
The Security Lead gathers security documentation from the vendor, such as SOC 2 reports, security questionnaires, or third-party ratings. Requests and follow-ups are tracked until sufficient information is received. The output is a complete vendor security information set.
Role: Security Lead
Assess vendor control gaps
The Security Lead reviews the vendor’s security posture against internal risk criteria and SOC 2 expectations. Identified gaps or concerns are documented with references to supporting evidence. The output is a documented risk assessment with noted issues.
Role: Security Lead
Document risk treatment decisions
For each identified risk, the Security Lead determines whether to accept, mitigate, transfer, or reject the risk. Mitigation actions, such as contract clauses or remediation requests, are clearly documented. The output is a completed risk treatment record.
Role: Security Lead
Approve and store assessment results
The Security Lead reviews the completed assessment for accuracy and completeness and provides formal approval. All records are stored in the designated risk management repository. The output is an approved and retained vendor risk evaluation.
Role: Security Lead
What You Need Before Starting
- Vendor name, service description, and business owner
- Access to vendor risk management tool or spreadsheet
- Vendor-provided security documentation (e.g., SOC 2 report, questionnaire)
- Internal vendor risk classification criteria
Evidence Your Auditor Expects
- Completed vendor risk assessment record dated and approved
- Vendor risk tier classification showing assessment date
- Copy of vendor SOC 2 report or completed questionnaire with receipt date
- Screenshot of tool or spreadsheet showing risk treatment decisions and timestamps
How This Looks In Your Tools
SecurityScorecard
Log in to SecurityScorecard and navigate to the “My Vendors” tab from the left-hand menu. Click “Add Vendor” or select an existing vendor to open the vendor profile. Review the overall letter grade and risk factor breakdown under the “Scorecard” and “Risk Factors” sections.
Select the “Issues” tab to review identified security issues and export findings if needed. Document the risk tier and any concerns in the “Notes” section of the vendor profile, then mark the assessment status as complete. Download or screenshot the vendor summary page showing the score and last updated date for audit evidence.
Whistic
Log in to Whistic and go to “Vendors” from the main navigation menu. Select an existing vendor or click “Add Vendor” to create a new record. Navigate to the “Risk Overview” and “Security Profile” sections to review shared documentation and risk insights.
Request additional information using the “Request Assessment” or questionnaire feature if needed. Once review is complete, update the vendor’s risk level using the “Risk Rating” field and add comments in the assessment notes. Ensure the assessment shows a completed status and export the assessment summary with date stamps.
Spreadsheet
Open the approved vendor risk assessment spreadsheet stored in the company’s document repository. Add a new row for the vendor and complete columns for vendor name, service description, data access level, and inherent risk tier.
Record assessment findings, identified risks, and risk treatment decisions in the designated fields. Enter the assessment date and approver name, then save the file with version control enabled. Retain a PDF or screenshot of the completed row showing dates for audit purposes.
Common Audit Findings
- Vendor assessments missing approval
- This occurs when assessments are completed but not formally reviewed or approved. Prevent this by requiring an approval field and verifying it is completed before closing the assessment.
- Incomplete vendor security documentation
- Organizations sometimes rely on partial information due to time constraints. Prevent this by defining minimum documentation requirements based on risk tier.
- Risk treatment not documented
- Assessments may identify risks without recording how they are handled. Prevent this by requiring a mandatory risk treatment decision for each identified issue.
- Outdated vendor risk assessments
- Vendors are assessed once and not revisited. Prevent this by reassessing vendors upon material changes or on a defined review cycle.