Glossary · Compliance concepts

What is Vendor Risk Management?

Also known as: VRM, Third-Party Risk Management, TPRM, Supplier Risk Management

Vendor risk management is the practice of assessing and continuously monitoring the security and compliance posture of the third-party suppliers an organization relies on. It typically involves collecting vendors' audit reports, evaluating their access to data, and reassessing them on a periodic basis, because a vendor's weakness can become your breach.

Key takeaways

  • Vendor risk management evaluates the security of the third parties you depend on.
  • A vendor breach can directly become your incident, so their risk is your risk.
  • Core activities include collecting SOC 2 reports and reviewing data access.
  • Vendors must be reassessed periodically, not just onboarded once.
  • Frameworks like SOC 2 and ISO 27001 expect documented supplier oversight.

Why does third-party risk matter so much?

Modern organizations run on a web of suppliers: cloud providers, SaaS tools, payment processors, and contractors. Each one that touches your data or systems extends your attack surface. When a vendor is compromised, the impact often flows straight through to their customers.

This is why frameworks treat supplier oversight as a control in its own right rather than an afterthought. The goal is to ensure that the protections you promise your own customers are not undermined by a weak link in your supply chain.

What vendor risk management involves

A vendor risk program runs across the full lifecycle of a relationship, from selection through offboarding. The depth of review usually scales with how much data and access the vendor has.

  • Due diligence at onboarding, including questionnaires and security reviews.
  • Collecting and reviewing vendors' SOC 2 reports or equivalent certifications.
  • Assessing what data and systems each vendor can access.
  • Setting contractual security and breach-notification requirements.
  • Periodic reassessment and prompt offboarding when a relationship ends.

Higher-risk vendors, such as those processing sensitive or regulated data, warrant deeper and more frequent review than low-risk, low-access suppliers.

From point-in-time review to continuous monitoring

A SOC 2 report describes a past period, so a vendor that looked secure at onboarding can drift afterward. Leading programs therefore supplement periodic questionnaires with ongoing monitoring of vendor posture and a clear schedule for reassessment.

This mirrors the shift to continuous control monitoring internally: oversight works best when it is ongoing rather than a once-a-year exercise.

Common failings include letting reassessments lapse, never reviewing vendor access after onboarding, and lacking an inventory of who has access to what. A maintained vendor register is the foundation that prevents these gaps.

Frequently asked questions

What is the difference between vendor risk management and TPRM?
They are largely interchangeable. Third-party risk management is the broader term and can include partners and contractors, while vendor risk management often emphasizes suppliers, but most programs treat them as the same discipline.
Why do customers ask us for our vendors' SOC 2 reports?
Because your vendors are part of your security posture. Reviewing their SOC 2 reports is how you, and your customers, gain assurance that data handled by subprocessors is adequately protected.
How often should vendors be reassessed?
Frequency should be risk-based, with critical vendors reviewed more often. Many programs reassess high-risk vendors at least annually and trigger ad hoc reviews after incidents or major changes.
What is a subprocessor?
A subprocessor is a third party your vendor uses to help deliver their service, which may also touch your data. Mature vendor programs track subprocessors, not just direct vendors.

Authoritative sources

← Back to the glossary