Choosing vendors only by cost often means picking ones with weak security controls, which puts your customer data, financial records, and systems at risk. For example, a textile exporter in Tamil Nadu hired a cheap IT support vendor who didn't encrypt client databases; when that vendor's system was hacked, the exporter's customer data was stolen and the company faced legal action and lost two major clients. A single vendor breach can expose your entire business to fines under DPDP Act, customer lawsuits, and irreversible reputation damage. Low-cost vendors often have one person managing everything with no backup, no security training, and no proper processes—one mistake or one bad actor and your business data is gone.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You pick vendors purely on lowest quote price and ask no questions about their security practices. You have no vendor agreement, no security checklist, and no way to track what vendors can access in your systems.
Initial
You've hired vendors based on price but now you're asking them basic questions about whether they have antivirus and passwords. You have informal email chains but no signed security agreement documenting what they can and cannot do.
Developing
You have a simple checklist of security questions you ask all new vendors (do you encrypt data, do you have backups, do you have a privacy policy). You ask vendors to sign a one-page security agreement, but you rarely follow up to verify they're actually doing what they promised.
Defined
You have a formal vendor security questionnaire you send to all new vendors before hiring. You check references with at least one previous client, review their security certifications if any, and have a signed agreement. You conduct a basic audit of one or two key vendors once per year.
Managed
You maintain an updated list of all vendors with their security ratings, last audit date, and access level. You audit all critical vendors annually using a detailed checklist. You have formal offboarding procedures and immediately revoke access when a vendor contract ends. Your vendors sign agreements that require them to notify you of any security incidents within 48 hours.
Optimised
Vendors are continuously monitored using automated tools for compliance; you have real-time dashboards showing vendor security posture. Every new vendor goes through a formal risk assessment before contract, annual audits are mandatory, and your vendor agreements include contractual penalties for security breaches. You conduct surprise audits and require vendors to maintain specific certifications like ISO 27001 or SOC 2.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create a simple one-page checklist with 8–10 basic security questions (Do you use encrypted storage? Do employees have login passwords? Do you have backups? Do you have a written privacy policy?) and ask all new vendors to fill it out and sign off on it. | Business owner or office manager | 2–3 days |
| 1 → 2 | Develop a formal Vendor Security Agreement template (can be based on sample templates from DSCI or NASSCOM) and require all vendors to sign before they access any systems or data. Add a clause requiring them to report security incidents within 7 days. | HR or legal advisor (can use free templates) | 1 week |
| 2 → 3 | Create a detailed vendor security assessment form covering data handling, access controls, incident response, and certifications. Conduct a basic audit of your top 3 critical vendors using this form and document their responses. Ask for one reference from each vendor and contact that reference to verify claims. | IT person or operations manager | 2–4 weeks |
| 3 → 4 | Build a vendor registry spreadsheet listing every vendor, their access level (data only, systems, none), last audit date, and compliance status. Implement automated annual reminders for vendor re-assessment. Create an offboarding checklist and revoke all vendor access within 24 hours of contract end. | IT person and operations manager | 1–2 months |
| 4 → 5 | Implement vendor monitoring tools to track compliance; require vendors to maintain specific certifications; conduct random unannounced audits; embed security metrics in vendor SLAs with financial penalties for breaches. | IT manager and compliance officer | Ongoing quarterly reviews and continuous monitoring |
Documents and records that prove your maturity level.
- Signed vendor security agreement or contract amendment with security clauses, dated and on file for every active vendor
- Vendor assessment checklist or questionnaire (completed and signed by vendor) for all new vendors hired in the past 12 months
- Vendor registry or spreadsheet listing vendor name, type of access, date hired, and last security review date
- Audit report or assessment notes documenting the last security review of at least your top 3 critical vendors (IT support, cloud storage, payment processor, HR system, etc.)
- Documentation of at least one vendor reference check (email, phone record, or signed reference verification form) for each new critical vendor
Prepare for these questions from customers or third-party reviewers.
- "Walk me through your vendor selection process. How do you decide who to hire and what criteria do you use beyond price?"
- "Do you have a signed security agreement with all your vendors? Can you show me three examples from vendors who handle your customer data?"
- "When you bring on a new vendor, what security questions do you ask them? Do you verify their answers or audit them?"
- "Which are your top three critical vendors (those with access to systems or data)? When was the last time you reviewed their security practices and what did you find?"
- "If a vendor has a security incident or breach, what are they supposed to do? Do you have a way to track that, and has it ever happened?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and send vendor security questionnaires, collect responses, and track compliance | Google Forms + Sheets (no cost, manual tracking) | ZeroBounce Vendor Management or Prevalent (vendor risk management platform, 2–5 lakh INR/year for SMEs) |
| Store and manage vendor contracts and agreements with version control and digital signatures | Google Drive or OneDrive with a naming convention (no cost) | DocuSign or Adobe Sign (₹3,000–8,000/year for small teams); Zoho Sign (₹2,400–6,000/year) |
| Monitor vendor access to your systems and track when vendors log in or what data they access | Manual logging in a shared spreadsheet or email (no cost, not scalable) | Okta or Azure AD with conditional access policies (₹5,000–20,000/year); LogicMonitor or ManageEngine (₹10,000–30,000/year) |
- Hiring a cheap web developer or IT support vendor without checking references or security practices, only to discover months later they're using a personal Gmail account to store client data, have no backup system, and their laptop was never updated with security patches.
- Signing a contract with a cloud storage or payroll vendor but never actually reading the data protection clause or asking how they encrypt your data; later discovering they store your employee salary data on unencrypted servers shared with other companies.
- Treating all vendors the same and applying heavy-handed audits to a low-risk office supplies vendor while ignoring security gaps in a high-risk IT or accounting vendor who has direct access to your financial systems.
- Hiring a vendor years ago, never reviewing their security practices again, and continuing to give them access even though they no longer meet your current security standards or have had a security incident.
- Assuming that a vendor is secure just because they're a big company or are cheap; many new small IT shops in India are highly competent and secure, while some large vendors cut corners to keep costs low.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (duty to implement reasonable security measures); Section 6(3) (data processors must be contractually bound to follow security and data handling rules) |
| CERT-In 2022 | Guidelines 14–16 (supply chain and third-party risk management; incident notification) |
| ISO 27001:2022 | Clause A.5.19 (supplier relationships), Clause A.5.20 (addressing information security within supplier agreements) |
| NIST CSF 2.0 | Govern function (GV.RO-01: Roles, responsibilities, and authorities are established); Supply Chain Risk Management (GV.SC-01: Supply chain risk management strategy is established) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →