Third-Party Risk Management: How to Assess Vendors Without Drowning in Questionnaires
Third-party risk management programmes in most organisations consist of a long security questionnaire that gets sent to every vendor, regardless of what the vendor does or how much access they have to the organisation's systems and data. The questionnaire has somewhere between fifty and two hundred questions. The vendor takes three weeks to respond. The response is reviewed by someone who was not involved in procuring the vendor, and then filed with no action taken. The organisation checks the compliance box and assumes it has managed the risk.
This approach does not manage risk. It produces paperwork. The questionnaire responses rarely get read carefully enough to identify genuine concerns, the same questionnaire is sent to a low-risk stationery supplier and a high-risk cloud infrastructure provider, and the follow-up on concerning responses almost never happens because nobody owns it. A right-sized third-party risk programme does things differently.
Start With Vendor Tiering
The first step in building a functional third-party risk programme is tiering your vendor population by the risk they represent. The relevant dimensions are the nature of the data or systems the vendor accesses, the criticality of the services they provide, and the consequence to the organisation if they were compromised or became unavailable. A vendor who processes personal financial information for thousands of your customers is not in the same risk tier as a vendor who supplies office furniture. Treating them the same way wastes effort on the low-risk vendor and often under-invests in assessing the high-risk one.
Tiering does not need to be complicated. A three-tier model covering high, medium, and low risk vendors is sufficient for most mid-market organisations. High-tier vendors receive a full assessment with evidence review and possibly an on-site or remote interview. Medium-tier vendors receive a shorter, focused questionnaire covering the controls most relevant to their service type. Low-tier vendors receive a lightweight due diligence check, or are managed through standard contract terms without a formal assessment. Most vendor populations, when tiered, end up with a small number of high-tier vendors, a larger group of medium-tier vendors, and a long tail of low-tier vendors. The assessment effort follows that distribution.
Right-Size the Assessment to the Risk
A high-tier vendor assessment should be proportionate to the risk the vendor represents, not to the length of the questionnaire template. The questions should be specific to the type of service and data the vendor handles. A cloud infrastructure provider should be assessed on its data isolation controls, its incident notification obligations, and its data residency practices. A professional services firm with access to sensitive documents should be assessed on its information handling procedures, its staff screening practices, and its breach history. Sending both of them the same generic questionnaire wastes time and misses the questions that actually matter.
Evidence matters more than answers. Asking a vendor whether they have a vulnerability management programme is less useful than asking them to provide evidence of their most recent penetration test results or their current patch cycle. Questionnaire responses tell you what a vendor believes about themselves. Evidence tells you what is actually happening. High-tier vendor assessments should always include a request for evidence, and the evidence review should be done by someone with enough security knowledge to assess whether it is meaningful.
Ongoing Monitoring, Not Point-in-Time Assessment
Third-party risk is not a point-in-time problem. A vendor who passes an assessment today can be compromised tomorrow. A vendor whose security posture is adequate when you engage them can degrade significantly over time without any visible signal if your only touchpoint is an annual questionnaire. An effective third-party risk programme includes ongoing monitoring of high-tier vendors, not just a periodic assessment.
Ongoing monitoring does not have to be intensive. For most high-tier vendors, a combination of annual reassessment, monitoring of publicly reported incidents involving the vendor, and a defined process for reviewing any vendor-notified security events is sufficient. The goal is to reduce the time between a change in a vendor's risk posture and the organisation's awareness of that change. An annual questionnaire cycle means that a vendor can be compromised for eleven months before the organisation knows about it. A monitoring posture that includes event-driven review significantly reduces that window.
Contract Provisions That Support Risk Management
Vendor risk management starts in the contract, not in the questionnaire. The contract is where the organisation's security expectations are made enforceable. At minimum, high-tier vendor contracts should include specific obligations around security standards, incident notification timeframes, data handling requirements, the right to audit, and the consequences of a security breach. Without those provisions, the organisation has no contractual basis for requiring remediation if a vendor's security practices fall short.
Incident notification is particularly important. An organisation cannot manage the consequences of a vendor breach if it does not know about it promptly. Australian privacy legislation imposes notification obligations on organisations that have been breached, and those obligations do not stop at the organisation's perimeter. If a vendor who processes personal information on your behalf is compromised, your notification clock may start before you are aware of the breach. Contractual obligations that require vendors to notify you within a defined timeframe, typically 24 to 72 hours, give you the window you need to respond.
- Tier your vendor population by risk before deciding how to assess each vendor
- Tailor assessment questions to the specific service type and data exposure of each vendor
- Require evidence rather than self-assessment responses for high-tier vendors
- Establish ongoing monitoring for high-tier vendors, not just periodic reassessment
- Include specific security obligations in vendor contracts, including incident notification timeframes
To discuss third-party risk management for your organisation, contact Cyberlinx at info@cyberlinx.com.au.
Related Articles







