Third-party breaches are now one of the most common entry points for attackers. Yet most vendor risk programmes consist of a single annual questionnaire, signed by someone in procurement, filed somewhere, and never reviewed until the next year.
That's not a risk programme. That's documentation of the assumption that vendors are trustworthy.
Why questionnaires alone fail
A questionnaire asks a vendor what their controls look like. It does not verify that the controls exist or operate correctly. A vendor that answers "yes" to every question may have no controls at all — and your programme has no mechanism to catch that.
Annual cadence makes this worse. A vendor that passes your assessment in January and is breached in October represents twelve months of undetected exposure. Quarterly or event-triggered reviews narrow that window.
Tiering your vendors
Not every vendor deserves the same scrutiny. A vendor with access to production data carrying personal information is not the same risk as a vendor providing office supplies.
A workable tier structure:
Critical — vendors with direct access to sensitive data, production infrastructure, or core systems. Full assessment annually, with contractual audit rights and evidence review.
High — vendors with indirect access or significant operational dependency. Questionnaire plus reference checks, reviewed annually.
Standard — vendors with no access to sensitive data. Lightweight due diligence at onboarding, reviewed on contract renewal.
Tier assignment should be revisited whenever a vendor's scope changes.
What to assess beyond the questionnaire
For critical vendors, questionnaire responses should be verified:
- Ask for their most recent penetration test report (not just confirmation that it occurred)
- Review their SOC 2 Type II report if available — read the auditor opinion and the exceptions section
- Check whether their subprocessors are listed and whether your data flows through them
- Confirm their incident notification SLA matches what your own obligations require
Continuous monitoring
Vendor risk isn't a point-in-time question. Several data points can be monitored continuously without requiring vendor cooperation:
- Breach disclosures (public databases and threat intel feeds)
- Certificate and domain changes
- News and regulatory actions
A vendor that appears in a breach disclosure mid-year should trigger an immediate reassessment, not wait for the annual cycle.
Integrating vendor risk with your broader GRC programme
Vendor controls often overlap with your own. A vendor processing personal data on your behalf needs to satisfy DPDPA obligations about data processing agreements, retention limits, and breach notification. A vendor that's also in scope for your SOC 2 audit needs to appear in your shared responsibility documentation.
Managing vendor risk in isolation from your compliance programme creates duplication. Managing it within the same platform means a single evidence trail covers both your audit requirements and your ongoing risk posture.