Many data breaches and operational failures in Indian businesses happen because a new vendor, tool, or process was introduced without checking security first. For example, a Mumbai export company added a cloud storage vendor to share invoices without verifying their data protection practices—leading to customer PAN/GST data being exposed and attracting an Income Tax Department inquiry. Without this review step, you might inherit problems: unvetted vendors with weak security, misconfigured systems, compliance violations (DPDP Act fines up to ₹5 crore), or disrupted operations during audits when buyers ask about your supplier controls.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You add new systems, vendors, or processes whenever someone requests them, with no formal check beforehand. There is no documented list of who your vendors are or what systems you use.
Initial
You sometimes think about security risks before adding something new, but there is no written checklist or consistent process to follow. Decisions depend on whoever is managing that area at the time.
Developing
You have a basic checklist of security questions to ask vendors and a simple review process before approval, but it is not always followed consistently. Not everyone in the business knows about this process yet.
Defined
You follow a documented risk review process for all new vendors and systems, led by your IT or compliance person, with approval by management before go-live. Records of these reviews are kept and occasionally checked.
Managed
Your risk review process includes security questionnaires, vendor audits, testing in a safe environment, and signed agreements with security clauses. Reviews happen for every change, recorded in a log, and monitored quarterly for effectiveness.
Optimised
Risk reviews are automated where possible, vendor security is continuously monitored post-implementation, risk decisions feed into your overall risk register, and lessons from past changes improve the process regularly.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Hold a one-time meeting with your IT person, finance head, and operations lead to list all current vendors and systems, and agree on three basic security questions to ask before adding any new vendor or system going forward. | Business owner or compliance person | 1 day |
| 1 → 2 | Write down a simple one-page checklist of security questions (e.g., Does the vendor have a privacy policy? Do they store data in India? Can they provide a security certificate?). Create an approval form that must be signed before any new vendor or system goes live. Share this with all team leads. | IT person or compliance person | 3-5 days |
| 2 → 3 | Develop a formal risk assessment template that maps new systems/vendors to your key business risks (data loss, downtime, compliance, fraud). Assign clear ownership: who can request, who reviews, who approves. Hold a training session with team leads. Document the process in your IT policy manual. | IT person with input from business owner | 2-3 weeks |
| 3 → 4 | Add security clauses to all vendor contracts (data protection, audit rights, breach notification, SLA penalties). Create a vendor risk scoring system (e.g., critical/medium/low) and maintain a register. Test new systems in a sandboxed environment before production. Conduct quarterly reviews of vendor compliance. | Legal advisor with IT person, compliance person | 4-6 weeks |
| 4 → 5 | Integrate vendor risk monitoring into your IT asset management system. Use third-party vendor monitoring tools to track vendor security posture continuously. Automate security questionnaires. Review risk decisions quarterly against actual incidents and industry trends. Update risk templates based on lessons learned. | IT person and compliance person | Ongoing (1-2 hours per week) |
Documents and records that prove your maturity level.
- A documented vendor/system change request form signed by requester and approver with date and business justification
- A completed risk assessment or security checklist for each new vendor or system added in the last 12 months
- Copies of vendor security certifications, privacy policies, or signed Data Processing Agreements (DPAs under DPDP Act)
- A vendor/system risk register or log listing all current third-party vendors, their risk level, and last review date
- Meeting notes or email approval chain showing risk review discussion before any major system deployment or vendor onboarding
Prepare for these questions from customers or third-party reviewers.
- "Walk me through your process for evaluating and approving a new vendor. Who decides, and what questions do you ask about security?"
- "Can you show me the risk assessment you did before implementing your current accounting software / ERP / email system / payment gateway?"
- "Do you have Data Processing Agreements or security clauses in place with vendors who handle customer or financial data?"
- "How do you monitor whether vendors are actually meeting their security commitments after they are onboarded?"
- "Tell me about a vendor or system you rejected or delayed because of security concerns. What risk did you identify?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and store vendor risk assessment forms and checklists | Google Forms (unlimited) + Google Sheets; Microsoft Forms + OneDrive | Jira (₹8,000–15,000/year for small team) or Monday.com (₹12,000+/year) |
| Monitor vendor and third-party security posture and certifications | Manual tracking in spreadsheet; ISO certificate websites (search vendor name + ISO 27001) | SecurityScorecard (₹3–5 lakh/year, enterprise); Vanta (₹50,000–2,00,000/year, automated compliance) |
| Store and manage vendor agreements and Data Processing Agreements securely | Google Drive with folder sharing and access logs; GitHub (for small teams) | Docusign (₹2,000–5,000/month for e-signatures); PandaDoc (₹1,500–4,000/month) |
- Vendor risk reviews are done only for 'big' vendors (ERP, bank) but skipped for 'small' ones like a new telecom provider or SaaS tool—but many breaches come through smaller, overlooked vendors with weak security.
- You collect a security questionnaire from a vendor once during onboarding, then never check again—vendors change their practices, move data centers, or get breached, but you do not monitor them continuously.
- Risk reviews are done informally by the IT person or owner in their head, not documented—so when an auditor or buyer asks, you cannot prove you checked, and different team members approve different vendors by different standards.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (reasonableness and data protection); Section 9 (consent and notice requirements); Schedule 2 (roles of Data Processor, Data Fiduciary) |
| CERT-In 2022 | Direction 2.3.1 (maintain inventory of IT assets and licenses), Direction 4.1 (review security controls quarterly) |
| ISO 27001:2022 | Clause 8.1 (operational planning and control); Annex A 5.3 (segregation of duties); Annex A 8.32 (vendor management) |
| NIST CSF 2.0 | Govern (GV.RO-02: Roles and responsibilities); Manage (govern supply chain, GV.SC-01); Protect (access management, PR.AC) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →