Back to Checklists

Third-Party Vendor Risk Assessment Checklist

SOC 2Security Operations

Third-Party Vendor Risk Assessment Checklist

Use this checklist to evaluate new and existing vendors for potential security, compliance, and operational risks. Third-party risk assessments are a core part of SOC 2, ISO 27001, and general cybersecurity hygiene. Documenting these steps will help demonstrate due diligence during audits.

Task

Evidence to Provide

Relevant Policy

Vendor Inventory Maintained

Centralized Vendor List or Tracker

Vendor Management Policy

Risk Classification Assigned

Risk Tier (High/Med/Low) with Justification

Third-Party Risk Policy

Security Questionnaire Completed

Completed Security Assessment or SIG

Due Diligence Policy

Review of Vendor Security Docs

SOC 2, ISO 27001, Pen Test Report

Security Review Process

Data Access Scoped and Approved

Data Sharing Log or Access Matrix

Data Classification Policy

Contract Signed with Security Clauses

Signed MSA with DPA or SLA Attached

Contract Management Policy

Compliance Attestations Collected

Proof of Compliance (e.g., GDPR, HIPAA)

Regulatory Compliance Policy

Ongoing Monitoring Plan Defined

Calendar Reminder, Quarterly Review Log

Vendor Review Policy

Offboarding Procedure Defined

Exit Plan or Checklist for Vendor Termination

Vendor Offboarding Policy

Risk Acceptance (if applicable)

Signed Risk Acceptance from Stakeholders

Risk Management Policy

Back to Checklists