Mini-Assessment · 15 Questions

Vendor / Third-Party Risk Mini-Assessment

A 5-minute benchmark of your third-party risk program against NIST SP 800-161 and ISO/IEC 27036. Tally the "yes" answers to get a quick maturity read across five domains.

Scoring:13–15 strong · 9–12 developing · ≤ 8 priority gaps

Inventory & Tiering

Do you maintain a current inventory of all third parties that store, process, or access your data?
Is each vendor tiered (e.g., critical / high / moderate / low) based on data sensitivity and business impact?
Do you track fourth-party (subcontractor) concentration risk for your tier-1 vendors?

Due Diligence

Do critical vendors provide a current SOC 2 Type II, ISO 27001 certificate, or equivalent independent assurance?
Do you assess AI/LLM vendors specifically for model training, data residency, and prompt-logging practices?
Do you require a security questionnaire (e.g., SIG, CAIQ) appropriate to the vendor's tier?

Contracts & Right-to-Audit

Do contracts include breach notification SLAs (e.g., ≤ 72 hours) and defined remedies?
Do contracts include a right-to-audit clause for critical vendors?
Do contracts specify data return/destruction at termination, with evidence requirements?

Ongoing Monitoring

Do you re-assess critical vendors at least annually, or on material change?
Do you subscribe to a vendor security-rating or attack-surface feed for top-tier suppliers?
Are vendor incidents tracked in your own incident register and trended over time?

Offboarding & Resilience

Do you have a documented offboarding runbook covering access removal, data return, and key rotation?
Do you have a tested alternate or exit plan for each tier-1 vendor?
Have you exercised a third-party outage scenario in a tabletop within the last 12 months?

Need a full TPRM program build?

Dephiant designs and operates third-party risk programs for regulated and public-sector organizations — including tiering, questionnaire automation, and continuous monitoring.

Book a consult Back to resources