Are vendors tiered by risk (data sensitivity, criticality, integration depth) so due diligence effort matches risk?
Demonstrate that the organization employs a documented vendor risk tiering methodology that aligns due diligence scope, frequency, and depth with the level of risk posed by each vendor relationship.
Description
What this control does
Vendor risk tiering is a systematic classification of third-party vendors into risk categories (e.g., critical, high, medium, low) based on factors such as the sensitivity of data they access, the criticality of services they provide, and the depth of technical integration with internal systems. This tiering determines the scope and rigor of due diligence activities, continuous monitoring frequency, contractual requirements, and audit procedures applied to each vendor. The control ensures that resource-intensive security assessments and ongoing oversight are allocated proportionally to the risk each vendor relationship introduces to the organization.
Control objective
What auditing this proves
Demonstrate that the organization employs a documented vendor risk tiering methodology that aligns due diligence scope, frequency, and depth with the level of risk posed by each vendor relationship.
Associated risks
Risks this control addresses
- Critical vendors with access to sensitive data or key systems receive insufficient security scrutiny, enabling supply chain attacks that compromise internal networks
- Audit resources are wasted performing extensive assessments on low-risk vendors while high-risk vendors undergo only cursory review
- Vendors with deep API or system integration introduce malware or unauthorized access due to lack of technical security review commensurate with integration depth
- Data breaches occur at third-party processors handling PII, PHI, or payment card data that were not identified as high-risk and lacked appropriate contractual safeguards
- Business-critical SaaS or cloud providers experience prolonged outages without adequate business continuity validation during onboarding
- Vendors undergo risk tiering at onboarding but never re-classified despite scope changes, allowing risk drift as relationships evolve
Testing procedure
How an auditor verifies this control
- Obtain the vendor risk tiering policy or procedure document that defines risk classification criteria (data types, system criticality, integration levels) and corresponding due diligence requirements for each tier.
- Review the complete vendor inventory or third-party risk management system export showing all active vendors with assigned risk tiers.
- Select a stratified sample of 15-20 vendors across all risk tiers (emphasizing critical and high-risk vendors) and obtain their initial risk assessment documentation.
- For each sampled vendor, verify that risk tier assignment aligns with documented criteria by reviewing factors such as data access scope, contract terms, integration architecture diagrams, and service criticality assessments.
- Examine due diligence artifacts for high-risk and critical vendors to confirm enhanced procedures were followed, including security questionnaires, SOC 2 reports, penetration test results, or on-site assessments as policy requires.
- Compare due diligence artifacts for low-risk vendors to confirm proportionally reduced effort (e.g., abbreviated questionnaires, self-attestation acceptance) consistent with policy.
- Review evidence of periodic re-assessment (annual or trigger-based) for at least five vendors to verify that risk tiers are updated when vendor scope, data access, or integration depth changes.
- Interview vendor risk management staff to validate understanding of tiering criteria and confirm the process for escalating vendors to higher risk tiers when circumstances change.