Skip to content
Contact us
  • There are no suggestions because the search field is empty.

Vendor Evaluation Process

Why evaluations and assessments matter

You need to understand whether to begin, or continue, working with a vendor as part of your third party risk management strategy. Vendor evaluations and assessments are how you make those determinations. 

Evaluations are not one-size-fits all. You have different relationships with your vendors. The way you evaluate a CRM that hosts all your customer data is going to be different than the way you evaluate your team’s video editing software. Your more critical vendors, those with access to more data: get more critical evaluations. 

Where Security Profile comes in: it right-sizes the evaluation based on the vendor's tier, then uses evidence to assess how they perform against each control. You end up with a clear, documented picture of the vendor's security posture — and a basis for making the call.

Process

What you’ll do

Why it matters 

Tier your vendor 

A vendor’s tier determines the control framework they’ll be evaluated against.


Tiering ensures your evaluation is right-sized without wasting time or letting risks slip. 

Add evidence 

The quality of your evaluation depends on the quality of your evidence. Without it, checks can't be evaluated and gaps remain.

Confirm the domains and IPs to evaluate.

Review the assets attributed to this vendor. Select only the domains and IPs relevant to your engagement. Keep the evaluation focused and avoid noise from infrastructure that has no bearing on your risk.

Review controls and checks.

This is where you assess and understand how the vendor is performing against the controls and checks relevant to their tier. 

You might find you need to add more evidence, send a gap questionnaire, waive risks, or request remediation. 

Make an evaluation decision

Work through the results and ask yourself: is this a level of risk your org is willing to accept?

If applicable: waive and remediate risks

Keep a clean record of what risks are acceptable vs. what risks need to be addressed for a relationship to continue. 

Run an AI assessment 

An assessment gives you a shareable, referenceable, point-in-time snapshot of the vendor’s security posture.