Vendor risk checklist: what to ask critical suppliers
Supplier risk management is more than a contact spreadsheet. If a vendor touches data, identities, or operations, you need to know what they provide, how risky they are, and when their security posture was last checked.
Autor: Marco Zoratto, founder of Splnit.eu
Which suppliers to review first
Start with suppliers that access personal data, production systems, identities, logs, or services that matter to customers. For small teams, ten well-reviewed critical suppliers are more useful than fifty stale records.
For each supplier, record the internal owner, access type, data or service affected, and the impact of outage or incident.
- cloud, hosting, identity provider, and monitoring
- CRM, support, accounting, and marketing tools
- external development, IT administration, and security services
- suppliers you mention in tenders, DPAs, or customer questionnaires
What evidence to request
Not every supplier needs the same evidence pack. For lower risk, a security page and DPA may be enough. For higher risk, ask for certifications, incident response details, subprocessors, data location, and a security contact.
Store not only the document but also the review date, outcome, exceptions, and next review date. Without that, vendor reviews go stale quickly.
How it connects to NIS2 and GDPR
NIS2 pushes supply-chain risk management; GDPR pushes processor and transfer accountability. A practical register should show both: the operational risk of the supplier and the legal relationship around personal data.
Related regulation overview
Open overview: NIS2 →Turn supplier reviews into recurring controls
Splnit.eu helps track suppliers, risks, contracts, and security evidence as a recurring process instead of a one-off questionnaire.
Open the NIS2 overview