Checklist
Vendor risk review checklist for software, MSPs, and processors.
Use this checklist before approving, renewing, or expanding a vendor relationship that touches customer data, personal information, identity, email, finance, production systems, or operational continuity.
Step 1
Who This Is For
SMBs approving a new software vendor, outside IT provider, processor, outsourced operation, or critical service provider.
Teams that need a repeatable way to decide whether a vendor is acceptable, acceptable with conditions, or too risky.
Organizations preparing for vendor consolidation, renewal review, or customer questions about third-party risk.
Step 2
What To Check First
What systems, personal information, customer data, finance data, email, or production access the vendor receives.
Whether the vendor is business critical, customer facing, replaceable, or part of incident response and recovery.
Security evidence such as SOC report, security summary, insurance, access control, encryption, logging, backup posture, and incident response.
Privacy evidence such as data processing roles, subprocessors, cross-border storage, retention, deletion, and breach notification commitments.
Contract language for confidentiality, audit rights, incident notification, data return/deletion, subcontracting, and service availability.
Internal owner, renewal date, approval decision, conditions, and next review date.
Step 3
Questions To Ask Vendors
What data do you store, process, transmit, or access on our behalf?
Which subprocessors can access our data and where is it stored?
How do you protect administrator access and remote access?
How quickly will you notify us of a security or privacy incident?
What evidence can you share under NDA, and how current is it?
How do you delete or return data at termination?
Step 4
Common Gaps
The vendor is treated as low risk because the spend is small, even though data access is high.
The vendor has strong marketing claims but no usable evidence or owner-reviewed documentation.
Contracts lack clear breach notification timing or subprocessor visibility.
Renewals happen before risk conditions or evidence gaps are reviewed.
The business owner approves the tool before IT, privacy, or security has reviewed access.
Step 5
Practical Checklist
Tier the vendor before reviewing every detail: critical, high, moderate, or low based on access, data sensitivity, dependency, and replaceability.
Identify the business owner, technical owner, privacy owner, contract owner, renewal date, and decision maker.
Collect evidence proportional to risk. A critical outside IT provider needs deeper review than a low-risk marketing tool with no customer data.
Record compensating controls, conditions, and review dates when a vendor is approved despite gaps.
Keep a living vendor register so renewals, subprocessors, incidents, and evidence freshness are not handled from memory.
Step 6
Decision Points
Approve when the vendor risk is understood, evidence is current, and ownership is clear.
Approve with conditions when the business need is real but gaps need owners, dates, or compensating controls.
Defer when the vendor cannot explain data access, incident notification, or security ownership.
Escalate when the vendor has privileged access, sensitive data, critical dependency, or weak contractual commitments.
Step 7
When To Ask For Help
A vendor has privileged access, personal information, or operational dependency but limited evidence.
There are many vendors and no tiering method for prioritizing review effort.
Leadership needs a clear proceed, proceed with conditions, defer, or escalate recommendation.
The organization needs to explain vendor oversight to a customer, insurer, board, or procurement stakeholder.
Related Service