Vendor Risk Management Best Practices

During your last risk assessment one of the findings was the lack of a formal vendor risk management program and you know you need to address it. Who knew that the company providing janitorial services should be considered a high-risk vendor? This can feel overwhelming, but it doesn’t need to be. Here are four vendor risk management best practices that need to be involved while implementing a successful program:

  1. Compile
  2. Classify
  3. Assess
  4. Decide

Simple, right? No need for anything else, you have everything you need to create a top tier program with just that information….

Okay maybe it’s a little more involved. Let’s go through the four vendor risk management best practices in more depth.


Implementing the program starts by knowing all your third-party and fourth-party vendors.

Start with your finance or accounting departments and see what they have.

Once you have that initial list, break down the vendors by business unit, and send it to the appropriate department heads. It seems like everyone likes to correct IT so why not play to it and go with an approach of “Can you verify that I haven’t missed any of your vendors and that the ones I do have are still valid?” Once you compile a comprehensive list you can move on to the next best practice.


Vendor Risk Management Classifications

Vendors should be classified by how much potential security risks they pose to the organization. The potential risk is based on the potential impact that a data security breach involving the vendor would have on the organization.

Work with the business units to complete the vendor classification form which documents what type and how much information the vendor has access to.

Those forms should be saved and reviewed annually.

This is where you will need to work with the business units. They should know their vendor relationships enough to know the what type and how much answers quickly. If they don’t know those answers, it should be eye-opening as they work towards discovering who has access to the various classifications of their data.


Vendor Risk Management Assessment

There are two types of vendor risk assessments that correspond with the two classifications determined in the vendor classification form and each classification follows a different assessment process.

For low impact vendors you need to complete the low impact vendor questionnaire internally. Once completed the questionnaires should be saved with the vendor’s classification form and reviewed annually.

For high impact vendors you need to send them the high impact vendor questionnaire and the Security Officer is responsible for conducting a formal review of the questionnaires when they are returned.


For each of the high impact vendors, a decision must be made of what to do with the information risks discovered through the assessment process. The possible decisions include:

  • “Risk Accepted” – The decision has been made to accept the risk “as-is” without any additional effort on the part of the organization or the vendor.Vendor Risk Management Decision
  • “Accept the Risk, With Conditions” – The decision has been made that there are certain risks that are unacceptable, but there are potential added security controls and remediation scenarios that would be acceptable to the organization.
  • “Risks Unacceptable, With Reasons” – The decision has been made that there are certain risks that are unacceptable to the organization. Reasons for the determination are provided, and it is up to the vendor to devise methods for remediation of the “Reasons”.

Final Thoughts

Now that we are through with what the vendor risk management best practices look like, some final thoughts.

One of the most common things I hear is “I don’t know how to classify a vendor; where do I start?” That’s one of the reasons why we created the vendor classification form. It helps take the guesswork out of it. Are you verifying that your facilities vendor is doing background checks on employees who have full access to your entire building? How about the cleaning service that comes in at night, unsupervised?

Keep a spreadsheet or database of your vendors with classification, vendor manager (internal), and last review date.  Don’t spend all that time compiling a list only to have to repeat the process annually. Compile once and then update with the help of the vendor managers that have been identified.

Finally, don’t wait to begin rolling this out.

You can start using the Classify, Assess, and Decide process for each new vendor right away as you work towards completing the Compile step for existing vendors. It’s also important to remember that this is an ongoing, living program; just because you completed it once doesn’t mean you are done. You need to review and verify the classification of vendors annually and keep records of the vendor management activity.

Have you built your own Vendor Risk Management Program? Tell us about it in the comments section.


Brad Nigh on Linkedin
Brad Nigh
Principal Security Consultant at FRSecure
Brad is a passionate information security expert with 19+ years of overall IT experience, including 9+ years of IT management and leadership experience working in 24/7 environments that required top tier technical skills, and efficient project management. In addition, Brad has years of experience working in highly regulated industries that are required to comply with PCI-DSS, HIPAA, HITECH, Sarbanes-Oxley, OCC, and various state regulatory requirements. At FRSecure Brad leads the Consulting Services practice serving businesses of all sizes, in all industries by cooperatively solving the complex issues surrounding information security.

2 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *