AlignTrust
Operations & Governance

Vendor Risk Management

The process of identifying, assessing, and mitigating security risks introduced by third-party vendors and service providers.

What Is Vendor Risk Management?

Vendor risk management (VRM) — also called third-party risk management (TPRM) — is the process of assessing and managing the risks that external vendors, suppliers, and service providers introduce to your organisation. Every vendor with access to your systems, data, or networks represents a potential attack vector.

Modern businesses run on third-party tools. Your CRM, payroll system, cloud provider, IT support company, and accounting software all have access to sensitive data. A breach at any one of them can become your breach.

Why Vendor Risk Matters

According to Verizon's DBIR, third-party involvement is a factor in a significant and growing percentage of breaches. The Ponemon Institute reports that 51% of organisations have experienced a data breach caused by a third party.

Supply chain attacks — where an attacker compromises a vendor to reach the ultimate target — are among the hardest-to-detect breach vectors.

The Vendor Risk Management Process

1. Inventory: Map all third parties with access to your data, systems, or networks.

2. Tier by risk: Not all vendors are equal. A payroll provider with access to employee PII is higher risk than a marketing design agency with no system access.

  • Tier 1 (High): Access to sensitive data, critical systems, or production environments
  • Tier 2 (Medium): Access to non-critical systems or processed data
  • Tier 3 (Low): Minimal or no data access

3. Assess: For high-tier vendors, request security evidence — SOC 2 reports, ISO 27001 certificates, or completed questionnaires.

4. Contractual controls: Ensure contracts include data processing agreements (DPAs), security requirements, breach notification obligations, and audit rights.

5. Ongoing monitoring: Annual reviews for high-tier vendors. Revoke access promptly when vendors are decommissioned.

Minimum Due Diligence for SMBs

Even without a formal VRM programme:

  1. Ask every high-access vendor for a SOC 2 or ISO 27001 report
  2. Ensure DPAs are in place for any vendor processing personal data (required under GDPR)
  3. Apply least privilege — give vendors access to only what they need
  4. Remove vendor access immediately when the relationship ends

Related Terms

Supply Chain AttackThird-Party RiskCompliance FrameworkSecurity Risk Assessment

Related Articles

← Back to Security Glossary