If a vendor gets hacked or their security gets weaker, your customer data or business secrets could leak through them without you knowing until it's too late. An Indian e-commerce company that did not re-check their payment processor vendor discovered mid-year that the vendor had been acquired by a less secure company and customer card data was exposed—resulting in RBI warnings, customer refunds, and loss of trust. Customers increasingly ask for proof that you audit your vendors, and if you can't show this during a compliance audit, you fail that check and may lose contracts. Ignoring vendor risk is a common reason why Indian MSMEs lose major enterprise customers or face surprise audit failures.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no list of who your vendors are, and you never check on them once you've signed up. If someone asks you about vendor security, you cannot answer or produce any record.
Initial
You have a basic list of vendors written down somewhere (spreadsheet or notebook), but you only check on them if a problem happens or a customer complains. There is no scheduled review or plan to evaluate them.
Developing
You have a documented list of critical vendors, and you do a basic check on them once a year—usually just asking them 'Are you still okay?' or reviewing any public news. You keep a simple record of when you last checked.
Defined
You have a formal vendor risk assessment process (a checklist or form) that you use every 12 months with each vendor. You document their security practices, financial health, and any incidents. You maintain this record in one place.
Managed
You do structured vendor reviews every 12 months using a documented scorecard that looks at security certifications, incident history, financial stability, and staff changes. You track scores over time and escalate if a vendor's score drops. You also monitor them for news/incidents between formal reviews.
Optimised
You have a continuous vendor monitoring program with both formal annual reviews and real-time alerts (via news feeds, security databases) about vendor incidents. You have criteria for when to re-evaluate early or terminate a vendor. You maintain detailed audit trails and share sanitized results with your customers when asked.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create a simple spreadsheet listing all vendors who have access to your systems, data, or infrastructure. Include their name, contact, what service they provide, and the date added. Share with your team so everyone knows who the critical vendors are. | Business owner or office manager | 1 day |
| 1 → 2 | Add a 'Last Review Date' column to your vendor list. Set a calendar reminder to review each vendor once per year (or twice yearly for critical ones). During review, check company news, ask them directly about security certifications, and note any incidents you find. Save the review summary in a folder with the date. | IT person or business owner | 1 week initial setup; 2-3 hours per year per vendor |
| 2 → 3 | Create a one-page vendor assessment form (PDF or Google Form) with questions about: security certifications (ISO 27001, DPDP compliance), data breach history, staff turnover, financial health, and backup/disaster recovery plans. Use this same form every year and keep copies in a folder. | IT person with input from business owner | 2-4 weeks |
| 3 → 4 | Build a simple vendor scorecard (e.g., a spreadsheet with 5 criteria, each scored 1-5: Security, Financial Health, Reliability, Compliance, Incident History). Calculate a total score each year. Document the trend. Set a rule: if any vendor's score drops below 60 or falls 20 points year-on-year, schedule an urgent re-evaluation or consider alternatives. | IT person and procurement/operations owner | 1-2 months to design, test, and roll out |
| 4 → 5 | Subscribe to vendor threat intelligence feeds (free: Google News alerts, LinkedIn, vendor status pages; paid: SecurityScorecard or similar). Set up quarterly check-ins beyond annual reviews. Create a policy document that defines when you will drop a vendor (e.g., if they have an unpatched critical breach, fail compliance audit, or go bankrupt). Share anonymized review summaries with key customers annually. | IT person with support from business owner and procurement | Ongoing: 2-3 hours per month for monitoring, 1 day per quarter for analysis |
Documents and records that prove your maturity level.
- Documented vendor inventory (spreadsheet or database) with vendor names, services, and dates of last review
- Completed vendor assessment forms or checklists for the past 12-24 months, signed/dated by the reviewer
- Vendor scorecard or evaluation summary showing assessment criteria and scores over time
- Dated records of any vendor incidents, security issues, or remediation actions taken
- Calendar entries, meeting notes, or email confirmation showing annual or periodic vendor review discussions
Prepare for these questions from customers or third-party reviewers.
- "Can you show me a list of all your critical vendors and when each one was last reviewed?"
- "Walk me through your vendor assessment process. What criteria do you use to evaluate whether a vendor is still trustworthy?"
- "Give me an example of a vendor you re-evaluated in the past 18 months. What did you check, and what was the outcome?"
- "Have you ever downgraded, de-risked, or terminated a vendor because of security or compliance concerns? Show me the documentation."
- "How do you find out if a vendor has had a security incident or significant change (acquisition, bankruptcy, staff turnover)? Do you monitor between formal reviews?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and store vendor assessment forms and records | Google Forms + Google Drive, or Microsoft Forms + OneDrive | Smartsheet, Airtable (₹500-2,000/month for team) |
| Set up alerts for vendor news and incidents | Google News alerts (free), LinkedIn company follow, vendor status pages | SecurityScorecard (₹50,000-2,00,000/year), Dun & Bradstreet risk reports (₹10,000-50,000/year) |
| Build and track vendor scorecard over time | Excel or Google Sheets template (create your own) | Tableau, Power BI (₹5,000-20,000/year for small teams), dedicated vendor risk platforms like Panorays (enterprise pricing) |
- Treating vendor review as a one-time activity when onboarding; forgetting that risk changes over time as vendors grow, merge, or cut corners
- Only reviewing vendors when a customer asks or an incident happens; missing early warning signs like staff turnover or financial trouble
- Relying only on the vendor's word ('We are fine') without checking public records, industry reports, or financial databases; Indian vendors often lack formal certifications, so you must do homework yourself
- Not having a clear list of critical vs. non-critical vendors; reviewing everyone equally wastes time—focus on vendors with access to customer data, payment systems, or core infrastructure
- Failing to document reviews; auditors and customers will ask for proof you actually reviewed vendors, not just that you claim to have done so
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8(2)(d): requirement to ensure personal data is processed only by data processors meeting security standards; implies periodic vendor review |
| CERT-In 2022 | Guideline on vendor/supply chain risk management; no specific section but reinforced in practice |
| ISO 27001:2022 | Clause 5.23 (Supplier relationships) and Annex A.15.2 (Supplier security assessment and re-assessment) |
| NIST CSF 2.0 | Govern Risk Management (GV) and Supply Chain Risk Management (GV.SC) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →