top of page
logo

Vendor Risk Management (TPRM) Checklist

  • Mar 17
  • 1 min read

Service Area: Operational Resilience

Vendor risk is enterprise risk—use this checklist to baseline, assess, and continuously control third-party exposure.

  • Maintain a complete vendor inventory with business owner and service description.

  • Map vendor data access/processing (PII/PHI/PCI/IP) and system touchpoints.

  • Record vendor geography and hosting locations for sovereignty/regulatory impact.

  • Tier vendors by criticality (e.g., Tier 1/2/3) using documented criteria.

  • Require evidence for security controls (SOC 2/ISO 27001, pen test summary, policy excerpts) for Tier 1/2.

  • Enforce SSO support where feasible and mandate MFA for privileged access.

  • Validate least-privilege access, periodic access reviews, and offboarding controls.

  • Confirm centralized logging/monitoring and defined incident triage/escalation.

  • Review vulnerability management and patch SLAs; track remediation exceptions.

  • Verify encryption in transit and at rest; confirm key management/rotation.

  • Confirm data segregation controls for multi-tenant services.

  • Review incident response plan and contractually defined breach notification timeline (target 24–72 hours).

  • Validate BC/DR capabilities and documented RPO/RTO targets.

  • Implement ongoing monitoring (risk scoring, threat intel triggers, change-driven reassessments).

  • Reassess on material changes (architecture, sub-processors, mergers, security incidents).

  • Conduct periodic vendor performance/risk reviews and track open findings to closure.

  • Ensure contract security clauses (audit rights, sub-processor controls, security requirements, notification SLAs) are in place.

  • Execute formal offboarding: revoke access (VPN, console, API keys), return/destroy data, and obtain destruction attestation.

  • Confirm retention/backups handling aligns to your requirements at termination.

If you want this implemented as a defensible program (Build or Assess), contact Red Spider Security to standardize tiering, due diligence, and continuous monitoring. For more insights on modern risk management and governance, explore our latest post on NIST CSF 2.0.

Comments

bottom of page