Vendor Risk Management
Your cloud provider got hacked. Your software house leaked code. The printer company had a backdoor in firmware. Every vendor problem becomes your problem. NIS2 requires formal supply chain security management - we'll handle it for you.
100+ vendors, zero visibility on their security
Full picture of supply chain risk + management process
Inventory
Full map of all ICT vendors
Assessment
Security questionnaires and verification
Scorecard
Continuous vendor monitoring
100+ vendors, zero visibility on their security
A manufacturing company used 127 ICT vendors. When auditors asked “how do you manage supply chain security?” the answer was: “We have contracts with NDA.” That’s not supply chain security management - that’s wishful thinking.
Without Vendor Risk Management:
- You don’t know which vendors have access to critical data
- You can’t assess their security level
- A vendor breach becomes your breach
- You don’t meet NIS2 Article 21 requirements
- Auditor sees a gap, regulators see a fine
End-to-end VRM process
We take over the entire vendor risk management process - from inventory to continuous monitoring. You get full visibility into supply chain risk and compliance evidence for auditors.
What you get:
- Complete ICT vendor inventory (cloud, SaaS, contractors, hardware)
- Categorization by risk level (Critical/High/Medium/Low)
- Security questionnaires tailored to vendor category
- Due diligence for critical vendors (OSINT, certificate verification)
- Vendor Scorecard with A-E rating
- Recommendations for low-rated vendors (improve or exit)
- Continuous monitoring (breach alerts, certificate changes)
- Contract security clause templates
VRM Process Details
1. Vendor Inventory
Data sources:
- Procurement - contracts and invoices
- Finance - payments to IT vendors
- IT - systems, licenses, integrations
- Security - VPN connections, API keys
- Network scan - external services in use
For each vendor we collect:
- Company name and contact
- Service/product type
- Data processed (personal, business, critical)
- Network access (yes/no, what scope)
- Business owner
- Contract dates
2. Risk Categorization
| Category | Criteria | Examples |
|---|---|---|
| Critical | Critical data access, single point of failure, no alternative | Cloud provider, ERP, core banking |
| High | Sensitive data access, significant operations impact | CRM, email, HR system |
| Medium | Limited access, replaceable | Collaboration tools, monitoring |
| Low | No data access, minimal impact | Printers, telephony, office supplies |
3. Security Assessment
For Critical vendors:
- Full security questionnaire (100+ questions)
- Interview with vendor representative
- Certificate verification (ISO 27001, SOC 2)
- OSINT - incident history check
- Contract security clause review
For High vendors:
- Extended questionnaire (50-80 questions)
- Certificate verification
- OSINT
For Medium vendors:
- Simplified questionnaire (30 questions)
- Basic verification
For Low vendors:
- Minimal or no verification
- Standard contract clauses
4. Vendor Scorecard
Each vendor receives a score based on:
| Area | Weight |
|---|---|
| Governance (policies, CISO, training) | 20% |
| Technical security (MFA, encryption, patching) | 30% |
| Incident management (IR plan, SLA, communication) | 20% |
| Compliance (certificates, GDPR, audits) | 15% |
| History (incidents, reputation) | 15% |
Rating scale:
| Score | Rating | Action |
|---|---|---|
| 4.0 - 5.0 | A - Excellent | Accept, review every 24 months |
| 3.0 - 3.9 | B - Good | Accept, review every 12 months |
| 2.0 - 2.9 | C - Acceptable | Conditional, improvement plan required |
| 1.0 - 1.9 | D - Poor | Reject or exit strategy |
| < 1.0 | E - Critical | Immediate action required |
5. Continuous Monitoring
Ongoing:
- Breach alerts (threat intelligence, Google Alerts)
- Certificate change monitoring
- Internal user feedback
Quarterly:
- Critical vendor review
- Improvement plan tracking
Annually:
- Full re-assessment of Critical and High vendors
- Categorization update
- Board report
Who is this for?
This service is for you if:
- You must comply with NIS2 and haven’t addressed Article 21 supply chain requirements
- You have 50+ ICT vendors and no formal VRM process
- Auditors flagged supply chain security as a gap
- You experienced a vendor-related security incident
- You want to reduce third-party risk systematically
Pricing
VRM Assessment (one-time)
Initial assessment and process setup:
- Vendor inventory
- Risk categorization
- Security assessment (questionnaires + due diligence)
- Scorecard delivery
- Contract clause templates
Scope: Up to 100 vendors Time: 4-6 weeks Price from: $15,000
VRM as a Service (ongoing)
Continuous vendor risk management:
- Quarterly reviews and updates
- New vendor assessments
- Incident monitoring
- Improvement tracking
- Annual board report
Price from: $2,500/month
Enterprise VRM
For organizations with 200+ vendors:
- Dedicated VRM analyst
- Custom questionnaire development
- Vendor portal setup
- Integration with GRC tools
Price: Custom quote
Contact your account manager
Discuss Vendor Risk Management with your dedicated account manager.
How we work
Our proven service delivery process.
Inventory
Collecting all ICT vendors from all sources
Categorization
Critical / High / Medium / Low risk
Assessment
Security questionnaires + due diligence
Scorecard
Vendor scoring and recommendations
Monitoring
Continuous monitoring and re-assessments
Benefits for your business
What you gain by choosing this service.
Full visibility
You know who has access to what
NIS2 compliance
Article 21.4 requirement fulfilled
Risk reduction
High-risk vendors identified
Audit-ready
Evidence for auditors
Related Articles
Expand your knowledge with our resources.
What is a Cyberattack? Types, Examples, and Protection Methods
A cyberattack is the deliberate use of technology to damage systems or steal data. Learn about attack types, real-world examples, and effective defense methods.
Read more →RidgeBot 6.2: Native Directory Brute-Force Scanning, Expanded WAP Support and Unauthenticated SMTP Relay
RidgeBot 6.2 enhances web attack surface coverage with native directory brute-force scanning, extends WAP support to Windows 11 24H2 and Windows Server 2025, and enables report delivery via unauthenticated SMTP relay servers.
Read more →Cloud Compliance Checklist — Legal Requirements for Cloud Environments
A complete regulatory compliance checklist for cloud environments — from GDPR through NIS2 to DORA. Legal requirements, shared responsibility model, and practical implementation steps.
Read more →Frequently Asked Questions
Common questions about Vendor Risk Management.
How much does vendor audit for NIS2 cost?
Single vendor assessment: from €2,000. Full assessment up to 50 vendors: from $15,000 (4-6 weeks). Up to 200 vendors: from $35,000 (8-12 weeks). Continuous monitoring (VRM as a Service): from $2,500/month.
How long does full vendor assessment take?
50 vendors: 4-6 weeks. 200 vendors: 8-12 weeks. 500+ vendors: 4-6 months. We prioritize - Critical vendors are assessed first, others in parallel.
What if a vendor refuses to complete the questionnaire?
This is a red flag affecting the score. We document the refusal, conduct OSINT-based assessment with available information, evaluate risk and recommend actions - from additional contract clauses to exit strategy.
Does vendor audit meet NIS2 requirements?
Yes - our VRM service directly addresses NIS2 Article 21.4 requirement for supply chain security. The scorecard and documentation serve as evidence for auditors and regulators.
How often should vendor assessment be repeated?
We recommend: Critical vendors - every 12 months + after incident, High vendors - every 18 months, Medium/Low - every 24 months. New vendors - before contract signing (due diligence).