HomeGuidesRisk & Compliance › RC-09
RC-09 Risk & Compliance 20% of OML score

Are third-party vendors assessed for basic security before sharing data or access?

Before you let a vendor (like a software company, cloud provider, or BPO) access your systems or handle your customer data, do you check whether they have basic security safeguards in place? This question asks: do you verify that these third parties actually follow security practices, or do you just trust them because they sound professional?

Why This Matters to Your Business

If a vendor gets hacked, attackers can use that breach to reach your data and systems—and you're held responsible, not them. A real-world example: a Delhi IT services company shared customer databases with a poorly-secured BPO partner; the BPO was breached and 50,000 customer records were sold online, resulting in regulatory fines under DPDP Act and loss of client contracts. Without vendor checks, you're trusting your security to someone else's weak locks. Customers and auditors will ask you why you didn't verify your vendors, and you'll have no answer.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You have no list of who has access to your data or systems. When asked about vendors, you name a few but admit you've never formally asked them about security.

Level 1
Initial

You have a rough list of vendors (accountant, hosting company, email provider) but have never asked any of them security questions or checked their setup.

Level 2
Developing

You've created a simple vendor list and sent a basic email or phone call asking 'Do you have security measures?' without documenting their answers or following up.

Level 3
Defined

You maintain a documented list of vendors, have sent a written security questionnaire to key vendors, and have filed their responses—but you don't review or update them regularly.

Level 4
Managed

You have a formal vendor security policy, annual security assessments using a standardized checklist, documented risk ratings for each vendor, and a review process every 12 months.

Level 5
Optimised

Vendor security is continuously monitored through automated tools, third-party audits (SOC 2, ISO 27001 certificates verified), contractual security obligations, and documented incident response plans if a vendor is breached.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 List all vendors and tools that access your data or systems (hosting, email, accounting software, outsourced support, cloud storage, etc.). Include their contact details and what access they have. Business owner or IT person 2-3 hours
1 → 2 Call or email each vendor asking: 'What security practices do you have?' and 'Do you have any security certifications?' Write down the answers in a spreadsheet. IT person or business owner 1 week (depending on number of vendors)
2 → 3 Create a simple written security questionnaire (10–15 questions about data encryption, backup, access controls, incident response). Send it to critical vendors and file their responses in a folder. IT person with input from business owner 2–3 weeks
3 → 4 Develop a formal Vendor Security Policy document. Assign risk ratings (High, Medium, Low) to each vendor based on the data they access. Schedule annual reassessments and document outcomes. IT person or outsourced consultant 4–6 weeks
4 → 5 Request SOC 2 Type II or ISO 27001 certificates from high-risk vendors. Set up automated monitoring of vendor security news. Include security clauses in all new vendor contracts and create an incident response plan if a vendor is breached. IT person with legal/compliance advisor Ongoing (quarterly reviews, 2–3 hours per quarter)
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • A spreadsheet or document listing all vendors, their contact details, systems/data they access, and last assessment date
  • Completed vendor security questionnaire responses (email or form) signed or acknowledged by vendors
  • A Vendor Security Policy document defining what security standards vendors must meet
  • Vendor risk assessment records showing which vendors are High/Medium/Low risk and the reasoning
  • Evidence of annual or periodic re-assessments (email chains, updated questionnaires, certificate copies like SOC 2 or ISO 27001)
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Show me your list of all vendors who can access your systems or data, and how you verified their security."
  • "Do you have a process for assessing vendors before you give them access? Can you walk me through a recent vendor assessment?"
  • "What happens if one of your vendors is breached? How are you informed, and what do you do?"
  • "Do you have security clauses in your contracts with vendors? Can I see an example contract?"
  • "How often do you re-assess or re-certify your vendors? Show me documentation of the last assessment."
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Create and send security questionnaires to vendors and collect responses Google Forms (free) or a shared Excel spreadsheet OneTrust or Prevalent (vendor risk management platforms, ~₹5–15 lakhs/year, overkill for most MSMEs)
Track and maintain vendor information and assessment records Google Sheets or Airtable (free tier, ~15,000 records) Monday.com or Zoho CRM (₹3,000–8,000/month)
Verify vendor security certifications (SOC 2, ISO 27001) and get audit reports Ask vendors directly for certificates; certifi.io provides free lookups (limited) Google Cloud Security Verification or vendor-specific audit report databases (~₹50,000–2 lakhs/year)
🛡
How This Makes You More Resilient
When you assess vendors upfront, you catch weak security before they handle your data, which drastically reduces the risk of a breach through their systems reaching your customers. If a vendor is breached anyway, you have documented proof that you did your due diligence—protecting your reputation and reducing regulatory fines. Your business also becomes more attractive to larger customers (who often require vendor security proof before they work with you), so this is a business advantage, not just a cost.
⚠️
Common Pitfalls in India
  • Assuming a large, well-known vendor (like a major cloud provider or telecom) is automatically secure—even big vendors have weak practices in some areas; always verify
  • Asking vendors once and never following up—security changes yearly; set a calendar reminder to re-assess every 12 months
  • Not documenting vendor assessments—if an incident happens and an auditor asks, 'Did you vet this vendor?' and you have no proof, you're liable; keep every email and form response
  • Forgetting about indirect vendors—if your hosting company uses a backup provider you don't know about, that's a risk; ask vendors who *they* rely on
  • Giving vendors unlimited access when they need only limited access—apply the 'principle of least privilege' (e.g., your accountant doesn't need access to your customer database)
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 6(2) – Data processor (vendor) must implement appropriate security measures; Section 6(5) – Data principal (you) must conduct due diligence on processors
CERT-In 2022 Direction 4 – Entities must ensure third parties handling critical information follow security standards
ISO 27001:2022 Clause A.5.19 – Management of information security incidents involving suppliers; Clause A.5.20 – Supplier relationships
NIST CSF 2.0 Govern (GV.RO-02) – Managing third-party risks; Protect (PR.AT-01) – Ensuring suppliers comply with security policies

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →