What contractual clauses must a vendor agreement include?

Essential vendor contract clauses include: breach notification window (24/48/72 hours), audit rights, data return and destruction on termination, sub-processor approval requirements, right to cure and termination for cause, indemnification with adequate caps, cyber liability insurance minimums, security standards compliance commitment, regulatory cooperation obligations, and 30-day change notification for material security changes.

How often should vendors be reassessed?

Tier 1 (Critical) vendors should receive annual full security questionnaire reviews plus quarterly check-in calls. Tier 2 (Important) vendors should be reviewed annually. Tier 3 (Standard) vendors require an onboarding review and biennial re-assessment. All vendors should be reviewed following any known security incident, major product change, or company acquisition.

Who is this vendor risk assessment toolkit designed for?

This toolkit is designed for compliance officers, CISOs, IT directors, and operations leads at organizations under SOC 2, HIPAA, GLBA, CMMC, NYDFS Part 500, or GDPR compliance obligations. It is particularly useful for law firms, accounting practices, healthcare organizations, financial services firms, and manufacturers — all of which face specific third-party risk requirements.

Does this toolkit help with HIPAA Business Associate Agreements?

Yes. The regulatory crosswalk (Page 13) maps toolkit components to HIPAA §164.314 BAA requirements. The security questionnaire Section 4 specifically covers breach notification SLA requirements. The contractual must-haves checklist (Page 10) includes the 24-hour breach notification window and BAA/DPA requirements. The toolkit does not provide a BAA template — consult qualified legal counsel for your specific BAA language.

⚙️ Free Toolkit · 14 Pages · Fillable PDF

Vendor Risk Assessment
Toolkit 2026

Q: What compliance frameworks require vendor risk management?

SOC 2 Type II CC9.2 requires documented vendor oversight. HIPAA §164.314 requires Business Associate Agreements (BAAs). GLBA §314.4(f) requires contracts and periodic oversight of service providers. CMMC RA.L2-3.11.1 covers supply chain risk for defense contractors. GDPR Article 28 requires Data Processing Agreements and sub-processor management. NYDFS Part 500.11 requires covered entities to oversee and contractually secure third parties.

Q: What should a vendor security questionnaire cover?

A thorough vendor security questionnaire should cover: security governance and certifications (SOC 2/ISO 27001), access controls and MFA enforcement, encryption at rest and in transit, incident response and breach notification SLA, sub-processor disclosure, business continuity/DR with tested RTO/RPO, vulnerability management cadence, secure SDLC practices, physical and environmental security, and AI/LLM data handling policies. This toolkit's questionnaire covers all 10 domains.

Vendor inventory worksheet, risk-tiering matrix, 50-question security questionnaire, scoring rubric (0–100), contractual must-haves checklist, and regulatory crosswalk for SOC 2, HIPAA, GLBA, CMMC, NYDFS, and GDPR.

📋 Vendor Inventory Worksheet 🔍 50-Question Questionnaire ⚖️ Regulatory Crosswalk 📄 14 Pages · Free

Download Free Toolkit →

What's inside

Vendor Risk Assessment Toolkit — 14 Pages

📃Page 2 How-to-Use Quick-Start

📋Page 3 Vendor Inventory Worksheet

🎯Page 4 Risk-Tiering Matrix (Tier 1/2/3)

🔍Pages 5–8 50-Question Security Questionnaire

📊Page 9 Scoring Rubric (0–100 scale)

✅Page 10 Contractual Must-Haves (14 Clauses)

🔧Page 11 Remediation Tracker

📅Page 12 Annual Review Calendar

⚖️Page 13 Regulatory Crosswalk

51%

of breaches involve a third-party vendor
IBM Cost of a Data Breach 2024

$4.88M

avg breach cost with vendor as initial vector
IBM 2024

CC9.2

SOC 2 control — vendor management
in every SOC 2 audit scope

95M+

records exposed via MOVEit —
a sub-processor most orgs didn't know they had

What You Get

Everything You Need to Run Vendor Risk Management

Stop asking vendors to self-certify with a one-question checkbox. This toolkit gives you the structure to actually evaluate vendor security — and the contractual language to back it up.

📋

Vendor Inventory Worksheet

Map every third-party with data access: service provided, data categories, system access level, criticality tier, and contract status. The foundation of your vendor program.

🎯

Risk-Tiering Matrix

Classify vendors as Tier 1 (Critical), Tier 2 (Important), or Tier 3 (Standard) with definitions, example vendors, review cadence, and questionnaire requirements per tier.

🔍

50-Question Security Questionnaire

Ten domains: governance, access controls/MFA, encryption, incident response, sub-processors, BC/DR, vulnerability management, SDLC, physical security, and AI/LLM handling.

📊

Scoring Rubric (0–100)

Weighted score by category. Score below 60 = escalation conversation before renewal. Clear guidance: Low Risk (85–100), Moderate (70–84), Elevated (55–69), High Risk (below 55).

✅

Contractual Must-Haves

14 non-negotiable contract clauses: breach notification window, audit rights, data destruction, sub-processor approval, indemnification, insurance minimums, and more.

⚖️

Regulatory Crosswalk

Maps each toolkit section to specific requirements in SOC 2 CC9.2, HIPAA §164.314, GLBA §314.4(f), CMMC RA.L2-3.11.1, NYDFS Part 500.11, and GDPR Art. 28.

50 Questions · 10 Domains

The Questionnaire Covers Every Domain Auditors Look For

The security questionnaire (Pages 5–8) is designed so that a completed, signed response is sufficient evidence for SOC 2 CC9.2, HIPAA BAA annual review, and GLBA oversight documentation. No back-and-forth needed.

Section 1

Security Governance

SOC 2 / ISO 27001 certs, pen testing, security training frequency, own vendor risk program.

Section 2

Access Controls & MFA

MFA enforcement (policy vs. available), phishing-resistant MFA for privileged accounts, access reviews, termination procedures.

Section 3

Encryption & Data Handling

AES-256 at rest, TLS 1.2+ in transit, data residency, retention schedule, secure destruction, backup encryption.

Section 4

Incident Response

IR plan, breach notification SLA (24/48/72 hr), prior breach disclosure, cyber insurance, tabletop exercise history.

Section 5

Sub-Processor Disclosure

Full sub-processor list, advance notification of changes, DPA/BAA flow-down, data residency by sub-processor.

Section 6

Business Continuity / DR

BCP documentation, RTO/RPO commitments, DR test frequency, geographic redundancy, tested recovery history.

Section 7

Vulnerability Management

Scan frequency, pen test cadence, critical CVE patch SLA, coordinated disclosure program, production patch coverage.

Section 8

Secure SDLC

SAST, SCA for open-source components, code review with security criteria, prod/dev separation, pre-release security testing.

Section 9

Physical & Environmental

Data center physical controls, remote work policy, endpoint encryption, MDM, clean desk and screen lock policies.

Section 10 — New 2026

AI / LLM Data Handling

AI use in service delivery, LLM access to your data, training/fine-tuning opt-out, AI governance policy, prompt injection controls.

Regulatory Requirements

One Toolkit. Six Compliance Frameworks.

If you're under any of these frameworks, vendor risk documentation is not optional. The toolkit's regulatory crosswalk (Page 13) maps each component to the specific article, section, or control number.

SOC 2

CC9.2 — Vendor Management

Documented vendor inventory, security questionnaires, contractual protections, and annual review evidence. Required for SOC 2 Type II certification.

HIPAA

§164.314 — Business Associate Agreements

BAA required for all vendors handling PHI. Must include 24-hour breach notification, permitted uses/disclosures, and safeguard requirements.

GLBA

§314.4(f) — Safeguards Rule

Select, retain, and periodically oversee service providers. Require by contract that they maintain appropriate safeguards. Annual review documentation required.

CMMC 2.0

RA.L2-3.11.1 — Risk Assessment

Assess risk from third-party information systems with CUI access. Supply chain risk management required for contractors handling controlled unclassified information.

NYDFS Part 500

§500.11 — Third-Party Service Providers

Covered entities must evaluate, oversee, and contractually secure third-party providers. 72-hour breach notification clause required. Annual certification evidence.

GDPR

Art. 28 — Processor Contracts

DPA required for all processors handling EU personal data. Sub-processor approval, audit rights, and flow-down of security obligations to sub-processors required.

Download the Vendor Risk Assessment Toolkit

Enter your email to receive the 14-page PDF toolkit — vendor inventory, questionnaire, scoring rubric, contractual must-haves, and regulatory crosswalk. Free.

Your Name *

Work Email *

Company

Your Role

Company Size

Industry

No spam. Unsubscribe anytime. Your data is never sold or shared.

✅

Toolkit on its way!

Check your inbox for the download link. The toolkit includes the vendor inventory worksheet, questionnaire, scoring rubric, contractual must-haves, and regulatory crosswalk.

→ Open Toolkit Now (PDF)

FAQ

Frequently Asked Questions

What compliance frameworks require vendor risk management?

SOC 2 Type II CC9.2 requires documented vendor oversight with questionnaires and contractual protections. HIPAA §164.314 requires Business Associate Agreements. GLBA §314.4(f) requires contracts and periodic oversight. CMMC RA.L2-3.11.1 covers supply chain risk for defense contractors. GDPR Article 28 requires Data Processing Agreements. NYDFS Part 500.11 requires covered entities to evaluate and contractually secure third parties.

What should a vendor security questionnaire cover?

A thorough questionnaire covers: security governance and certifications (SOC 2 / ISO 27001), access controls and MFA enforcement, encryption at rest and in transit, incident response and breach notification SLA, sub-processor disclosure, business continuity with tested RTO/RPO, vulnerability management cadence, secure SDLC practices, physical security, and AI/LLM data handling policies. This toolkit's questionnaire covers all 10 domains across 50 questions.

Which contracts require a Data Processing Agreement or BAA?

GDPR Article 28 requires a DPA for any vendor processing EU personal data. HIPAA requires a BAA for any vendor handling Protected Health Information (PHI). GLBA and CCPA require specific contractual language for consumer financial and personal data. The toolkit's contractual must-haves checklist (Page 10, Clause 10) covers when each type of agreement is required.

How often should we reassess vendors?

Tier 1 (Critical) vendors require an annual full security questionnaire review plus quarterly check-in calls. Tier 2 (Important) vendors should be reviewed annually. Tier 3 (Standard) vendors need an onboarding review and biennial re-assessment. All vendors should be reviewed following any known security incident, major product change, or company acquisition — even if it's not their scheduled review date.

What does this toolkit not include?

This toolkit does not provide legal contract templates (DPA, BAA, or MSA) — those require qualified legal counsel for your specific jurisdiction and relationships. It also does not include a vendor monitoring platform or automated questionnaire distribution system. It is a structured framework for organizations that want to implement a vendor risk program manually or document their current program for audit purposes.

Who is this designed for?

This toolkit is designed for compliance officers, CISOs, IT directors, and operations leads at organizations under SOC 2, HIPAA, GLBA, CMMC, NYDFS, or GDPR obligations. It's particularly useful for law firms, accounting practices, healthcare organizations, financial services firms, and manufacturers — all of which face specific third-party risk requirements from regulators and auditors.

Train Your Team on Vendor Social Engineering

The toolkit handles the process. SecurEveryone live training covers the behavioral layer: how attackers exploit vendor relationships, impersonate vendors via BEC, and bypass procurement controls.

Book a Session See All Free Tools

Vendor Risk AssessmentToolkit 2026