Glossary · Compliance concepts
What is Vendor Risk Management?
Also known as: VRM, Third-Party Risk Management, TPRM, Supplier Risk Management
Vendor risk management is the practice of assessing and continuously monitoring the security and compliance posture of the third-party suppliers an organization relies on. It typically involves collecting vendors' audit reports, evaluating their access to data, and reassessing them on a periodic basis, because a vendor's weakness can become your breach.
Key takeaways
- Vendor risk management evaluates the security of the third parties you depend on.
- A vendor breach can directly become your incident, so their risk is your risk.
- Core activities include collecting SOC 2 reports and reviewing data access.
- Vendors must be reassessed periodically, not just onboarded once.
- Frameworks like SOC 2 and ISO 27001 expect documented supplier oversight.
Why does third-party risk matter so much?
Modern organizations run on a web of suppliers: cloud providers, SaaS tools, payment processors, and contractors. Each one that touches your data or systems extends your attack surface. When a vendor is compromised, the impact often flows straight through to their customers.
This is why frameworks treat supplier oversight as a control in its own right rather than an afterthought. The goal is to ensure that the protections you promise your own customers are not undermined by a weak link in your supply chain.
What vendor risk management involves
A vendor risk program runs across the full lifecycle of a relationship, from selection through offboarding. The depth of review usually scales with how much data and access the vendor has.
- Due diligence at onboarding, including questionnaires and security reviews.
- Collecting and reviewing vendors' SOC 2 reports or equivalent certifications.
- Assessing what data and systems each vendor can access.
- Setting contractual security and breach-notification requirements.
- Periodic reassessment and prompt offboarding when a relationship ends.
Higher-risk vendors, such as those processing sensitive or regulated data, warrant deeper and more frequent review than low-risk, low-access suppliers.
From point-in-time review to continuous monitoring
A SOC 2 report describes a past period, so a vendor that looked secure at onboarding can drift afterward. Leading programs therefore supplement periodic questionnaires with ongoing monitoring of vendor posture and a clear schedule for reassessment.
This mirrors the shift to continuous control monitoring internally: oversight works best when it is ongoing rather than a once-a-year exercise.
Common failings include letting reassessments lapse, never reviewing vendor access after onboarding, and lacking an inventory of who has access to what. A maintained vendor register is the foundation that prevents these gaps.
Frequently asked questions
- What is the difference between vendor risk management and TPRM?
- They are largely interchangeable. Third-party risk management is the broader term and can include partners and contractors, while vendor risk management often emphasizes suppliers, but most programs treat them as the same discipline.
- Why do customers ask us for our vendors' SOC 2 reports?
- Because your vendors are part of your security posture. Reviewing their SOC 2 reports is how you, and your customers, gain assurance that data handled by subprocessors is adequately protected.
- How often should vendors be reassessed?
- Frequency should be risk-based, with critical vendors reviewed more often. Many programs reassess high-risk vendors at least annually and trigger ad hoc reviews after incidents or major changes.
- What is a subprocessor?
- A subprocessor is a third party your vendor uses to help deliver their service, which may also touch your data. Mature vendor programs track subprocessors, not just direct vendors.