If you don't know who has access to your systems, you cannot control what they do with your data, spot suspicious activity, or investigate a breach. In 2023, a Delhi-based e-commerce firm lost customer payment data through a logistics partner's unsecured FTP account they had forgotten about—leading to RBI penalties and customer lawsuits. Without a vendor list, you also cannot comply with DPDP Act audits, leaving your business exposed to ₹500 crore fines. Your customers (especially those in banking, healthcare, or government contracting) will refuse to work with you if you cannot prove you know who touches their data.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no formal record of vendors or contractors with system access. When asked who can access your data, you name people from memory or have to ask around the office.
Initial
You have an informal list (WhatsApp chat, email thread, or handwritten note) of some vendors, but it is incomplete, outdated, and kept in someone's personal email inbox. New vendors are added without updating any record.
Developing
You maintain a spreadsheet (Excel or Google Sheets) that lists vendors, their services, and roughly what they access. It is reviewed once or twice a year, but access changes during projects are not always recorded.
Defined
You have a documented vendor list (spreadsheet or shared file) that includes vendor name, contact, service provided, data or systems accessed, and contract dates. It is reviewed and updated quarterly by the IT owner, and changes are signed off by a manager.
Managed
You maintain a centralized, version-controlled vendor registry (shared drive or simple tool) that tracks vendor details, access levels, contract terms, security certifications, and access review dates. It is updated within 2 weeks of any change and audited monthly.
Optimised
You have an automated system or secure shared database that logs all vendor access in real-time, flags access that exceeds contract scope, and triggers automatic reviews quarterly. All vendors sign acknowledgment of your data protection policy, and access is revoked automatically when contracts end.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Gather a list by meeting with all department heads (finance, operations, IT, HR) and ask them to name every vendor or contractor they work with who touches company systems or data. Write down their answers in a shared document. | Business owner or office manager | 2-3 days |
| 1 → 2 | Create a simple Excel spreadsheet with columns: Vendor Name, Contact Person, Phone, What they do, What data/systems they access, Contract start date, Contract end date. Populate it with all vendors from your list. Save it on a shared drive and name the IT person as owner. | IT owner or administrator | 1 week |
| 2 → 3 | Add three columns to your spreadsheet: Access Level (read-only, admin, etc.), Last Access Review Date, and Reviewed By. Schedule a quarterly review meeting with department heads. Before each review, the IT owner checks actual system access logs to confirm what each vendor actually has access to and updates the spreadsheet. Get sign-off from a manager after each review. | IT owner with manager sign-off | 2-4 weeks |
| 3 → 4 | Move the vendor registry to a shared, access-controlled location (shared Google Drive folder or company intranet). Add a column for vendor security certifications (ISO 27001, CERT-In compliance, SOC 2, or similar). Set up a monthly automated reminder to IT owner to verify no unauthorized vendors have been added to systems. Document the approval process for adding new vendors (who approves, who documents it). | IT owner with compliance or operations lead | 1-2 months |
| 4 → 5 | Implement automated logging of vendor access (use Identity Access Management tools or simple audit logs from your systems). Train all staff on the mandatory vendor onboarding process: new vendor access requires documented approval, data protection agreement signed, registry updated, and access confirmed within 5 days. Set up automatic alerts if a user or vendor logs in from an unusual location or outside contract hours. Review and retire vendor access automatically when contracts expire. | IT owner with support from compliance lead | Ongoing (6-8 weeks initial setup, then monthly maintenance) |
Documents and records that prove your maturity level.
- A current, dated vendor registry (spreadsheet or document) with vendor name, contact details, services provided, systems/data accessed, contract dates, and last review date
- Sign-off or approval records showing who authorized each vendor and when their access was last verified (email approvals, sign-off sheets, or meeting minutes dated within last 3 months)
- Access control logs or system audit trails from your main platforms (email, file servers, accounting software) showing what each vendor account can do
- A documented vendor onboarding checklist showing how new vendors are added, approved, documented, and removed—with at least one completed example from the last 6 months
- A policy or procedure document (even 1 page) describing how vendor access is managed, reviewed, and approved
Prepare for these questions from customers or third-party reviewers.
- "Show me your complete list of all vendors and third parties with access to your systems or customer data. How recent is this list, and how is it kept up to date?"
- "Pick a vendor from your list. Walk me through the process: who approved their access, what exactly can they access, and when was that access last verified?"
- "How do you know if a vendor's access has changed or if a contractor has been removed from a project? Can you show me an example of a vendor whose access was reduced or ended in the last 6 months?"
- "Do your vendor contracts include data protection and confidentiality clauses? Can you show me one signed contract as proof?"
- "How often do you review vendor access, and do you have evidence (dates, names, signatures) showing these reviews actually happened?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and maintain a centralized vendor registry spreadsheet with version control | Google Sheets (free tier, cloud-based, easy to share and version-track) | Microsoft 365 (₹500–1,500/user/year for Excel + OneDrive) |
| Track vendor contracts, expiry dates, and automatically remind of renewal or access removal dates | Google Calendar with shared event reminders, or Notion (free tier) | Zoho CRM (₹1,500–3,000/user/month for contract and vendor management modules) or Freshworks (₹2,500–5,000/month) |
| Pull access logs from your systems (email, file servers, databases) to verify what each vendor actually has access to | Built-in audit logs in Microsoft 365, Google Workspace, or your server/database—no extra cost, check with IT | Splunk (₹4,000–15,000/month for small deployments) or ManageEngine Log360 (₹8,000–20,000/year) |
| Set up automated alerts when vendor access is added, changed, or used from unusual locations | SIEM features in Zoho One or free tier of Wazuh (open-source Host-based Intrusion Detection System) | Azure Sentinel (₹25–50/GB/month) or Fortinet FortiSOAR (₹3,00,000+/year for enterprise) |
| Manage vendor identity access and create automated access removal when contracts end | Use your existing system user management (Active Directory, Google Admin, or email provider controls) | Okta or Microsoft Entra ID Premium (₹3,000–8,000/user/year) for advanced identity governance |
- Forgetting about old vendors: A contractor finishes a project 2 years ago but still has read access to your cloud storage or email. You do not remember them when the next breach happens. Update your vendor list when contracts end, not just when they start.
- No difference between vendor types: Treating a one-time audit consultant the same as your daily cloud provider. Categorize vendors by risk (high-access partners like cloud hosting and payment processors need tighter controls; one-time consultants need fewer). Focus your effort on high-risk vendors first.
- Keeping the list with one person: The owner or IT person leaves, and the list is lost or stuck on their personal laptop. Always keep vendor records in a shared, backed-up location (shared drive or company tool), not personal devices or emails.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 6(4)—business must document and demonstrate knowledge of all third parties processing personal data; Section 8 (accountability principle) |
| CERT-In Guidelines 2022 | Appendix A—entities must maintain inventory of all systems and third-party access; clause on privileged user management |
| ISO 27001:2022 | A.5.19 (Supplier relationships), A.6.4 (Supplier relationships), A.8.4 (Removal or adjustment of access rights), A.8.5 (Access rights review) |
| NIST CSF 2.0 | GV.ST-03 (Third-party risk management), ID.AC-03 (Access control procedures and tools), ID.AM-02 (Inventory of physical and logical assets) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →