XLSXVendor Risk Questionnaire
120+ questions across 8 security domains — Governance & Policy, Access Control, Data Security, Vulnerability Management, Incident Response, Business Continuity, Physical & Environmental, and Compliance & Certification. Each question includes a criticality rating (Critical / High / Medium / Low), dropdown response (Yes / Partial / No / N/A / Unknown), and an evidence reference field. Domain scores and an overall risk tier calculate automatically in the Scorecard tab.
120+ scored questions
XLSXVendor Risk Scorecard
Score each vendor across 8 weighted security criteria — Information Security Policy (×3), Access Controls (×4), Data Encryption (×4), Incident Response (×3), Business Continuity (×3), Pen Test / Certification (×4), GDPR / Legal Compliance (×3), and Contract Security Clauses (×2). Weighted score and risk tier (Low / Medium / High / Critical) assign automatically. Supports up to 15 vendor entries. Includes a Risk Tier Key tab explaining required actions for each tier.
Auto-assigned risk tier
XLSXVendor Register
Master inventory of all third-party vendors and suppliers. Tracks: vendor name, services, criticality tier, data types processed, countries data is transferred to, ISO 27001 and SOC 2 certification status, DPA signed status, contract expiry, last assessment date, outcome, next review date, and owner. The Dashboard tab auto-calculates totals by tier, DPA coverage, certification status, and assessment outcome from the register data.
Live dashboard included
XLSXVendor Monitoring Dashboard
Ongoing monitoring log for recording all vendor monitoring activities throughout the contract lifecycle — annual reviews, quarterly checks, incident reviews, certificate expiry alerts, SLA breach events, and sub-processor changes. Each log entry captures: monitoring type, finding, severity, action required, owner, due date, and status. The KPI Dashboard tab auto-calculates open actions, escalated items, incident review counts, and SLA breach events.
KPI tracker + action log
DOCXVendor Onboarding Checklist
Structured checklist for onboarding new vendors before granting system access. Covers: documentation to obtain before go-live (DPA, NDA, questionnaire, ISO 27001 certificate, SOC 2 report, pen test summary, BCP, sub-processor list, insurance certificate), contract security clause verification, access provisioning steps (MFA enrolment, least privilege, session logging, account expiry), and a formal sign-off section requiring Security Lead, Procurement, IT, and vendor signatures.
Pre-go-live gate
DOCXContract Security Requirements & GDPR DPA
Two documents in one: standard security contract clauses covering minimum security standards, incident notification (24-hour), sub-processor controls, audit rights, and data return/deletion — plus a full GDPR Article 28 Data Processing Annex (DPA) template covering processing details table, processor obligations, international data transfers, and breach notification obligations. Designed to be adapted and inserted into vendor agreements. Legal review recommended before use.
GDPR Article 28 clauses
DOCXVendor Exit & Offboarding Checklist
Systematic checklist for securely offboarding vendors at contract end, termination, or supplier transition. Three sections: Access Revocation (user accounts, service accounts, API keys, SSH keys, MFA, physical access, email lists — 7 items), Data Return and Secure Deletion (election decision, Certificate of Destruction, backup deletion, sub-processor confirmation, GDPR Art.28(3)(g) compliance — 7 items), and Contract and Administrative Closure (termination notice, invoice settlement, asset recovery, register updates — 8 items). Requires sign-off from Security, IT, Procurement, and DPO.
Data deletion sign-off
DOCXVendor Incident Notification Form
Structured breach notification form for vendors to complete and submit within 24 hours of discovering a security incident. Covers: vendor details, incident details (type, status, systems affected), data impact assessment (personal data affected, categories, number of records, exfiltration status), incident description and immediate actions taken, planned next steps, regulatory notifications tracker (ICO/EU DPA, law enforcement, NCSC, insurer), and a rolling updates schedule. Supports GDPR 72-hour supervisory authority notification.
24-hr GDPR compliant
DOCXAnnual Vendor Security Review
Structured template for conducting annual security reviews of Critical and High tier vendors. Sections: Review Details, Certifications & Assurance Documents (ISO 27001, SOC 2, pen test, insurance — with previous vs current status comparison), Changes Since Last Review (ownership, sub-processors, data centre, incidents, financial stability — with risk impact column), SLA Performance table, Incidents During Review Period log, Outstanding Actions from Previous Review, new findings and actions, and a Risk Tier Decision section with formal sign-off.
Risk tier update + sign-off
DOCXThird-Party Risk Management Policy
Complete Third-Party Risk Management Policy document covering: Purpose and Scope, Supplier Classification (Critical / High / Medium / Low with assessment frequencies and approval levels), Pre-Engagement Assessment requirements, Contractual Requirements for each tier, Ongoing Monitoring programme, Supplier Offboarding obligations, Roles and Responsibilities RACI (CISO, Security Team, Procurement, IT, DPO, Business Owners), Policy Review schedule, and Exceptions process. Aligned with ISO/IEC 27001:2022 A.5.19–A.5.23.
Full TPRM policy