If you don't know which vendors are critical, you treat all of them the same way—giving the same low level of security oversight to a cloud server provider as you do to a stationery supplier. When a critical vendor fails (or gets hacked), your entire business can grind to a halt. For example, a Mumbai textile exporter lost ₹45 lakhs in production time when their payment gateway vendor was compromised and couldn't process customer payments for 18 hours, but they had no backup vendor because they never identified this supplier as critical. Without this control, you also can't properly manage vendor contracts, audit vendor security practices, or recover quickly when something goes wrong.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have a scattered list of vendors in various spreadsheets, WhatsApp chats, and someone's notebook. You have no documented process for deciding which vendors matter most to your business.
Initial
You have created one list of all vendors, but it's a simple flat list with no classification—you haven't yet separated critical from non-critical vendors.
Developing
You have a spreadsheet that identifies critical vendors versus non-critical ones, but the criteria for marking them as critical are unclear and not formally documented in any policy.
Defined
You have a documented, board-approved vendor classification policy with clear criteria (e.g., vendors handling customer data, payment processing, or delivery are critical). Your vendor list is maintained in a shared system, and the classification is reviewed annually.
Managed
Your vendor classification is integrated into your procurement process, contracts, and risk management framework. Critical vendors have documented Service Level Agreements (SLAs) and security requirements, and you conduct regular risk assessments of critical vendors.
Optimised
You have an automated, real-time vendor risk dashboard that continuously monitors critical vendors' security status, compliance certifications, and financial health. Vendor classifications are reviewed quarterly, and your supply chain has documented fallback vendors and contingency plans for each critical service.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Compile a single master list of all vendors your company currently uses. Include vendor name, contact, service/product provided, and contract value if known. | Finance Manager or Procurement Lead | 2-3 days |
| 1 → 2 | Add a 'Critical/Non-Critical' column to your vendor list. Mark vendors as critical if they handle payments, customer data, or provide services your business cannot operate without for more than 4 hours. | Procurement Lead with approval from Operations Manager | 3-5 days |
| 2 → 3 | Create and document a formal Vendor Classification Policy that defines what makes a vendor critical (e.g., data access, payment processing, critical infrastructure). Get sign-off from senior management. Update all vendor records using this policy. | IT Manager or Compliance Officer | 2-3 weeks |
| 3 → 4 | For each critical vendor, document their security requirements in the contract or a separate security addendum. Conduct a security assessment questionnaire (you can use CERT-In's vendor assessment template). Establish SLAs for uptime and response times. | IT Manager and Legal/Procurement Lead | 4-6 weeks |
| 4 → 5 | Build a vendor risk dashboard that tracks critical vendor certifications (ISO 27001, SOC2), security incidents, and performance metrics. Establish a quarterly review cycle and identify backup vendors for each critical service. | IT Manager with support from a vendor management tool administrator | Ongoing quarterly reviews |
Documents and records that prove your maturity level.
- A master vendor list (spreadsheet or database) with all suppliers, including their classification as critical or non-critical
- A documented Vendor Classification Policy that defines the criteria for marking a vendor as critical (e.g., data access, payment handling, business continuity impact)
- For critical vendors only: a signed contract or security addendum that includes security requirements and Service Level Agreements (SLAs)
- Completed vendor security assessment questionnaires for all critical vendors (showing what security controls they have in place)
- A vendor review log showing that classifications are reviewed and updated at least annually, with dates and approvals
Prepare for these questions from customers or third-party reviewers.
- "Show me your list of critical vendors and explain what criteria you used to identify them as critical."
- "If I pick one of your critical vendors at random, can you show me their security assessment and contract terms that cover your security requirements?"
- "How often do you review and update your vendor classifications? Show me evidence of the last review."
- "What happens if one of your critical vendors fails or is compromised? Do you have a backup plan or alternative vendor documented?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and maintain a simple vendor master list with classification | Google Sheets or LibreOffice Calc (add a 'Critical/Non-Critical' column; share read-only link with team) | Zoho CRM or Freshworks (₹3,000-8,000/month) – includes vendor management dashboards |
| Assess vendor security practices through a standardized questionnaire | CERT-In Vendor Security Assessment Template (available on cert-in.org.in), or create your own using ISO 27001 Annex A controls | EZSourced or Vendict (₹50,000-2,00,000/year) – automated vendor assessment and risk scoring |
| Track and monitor critical vendor compliance and risk | Simple spreadsheet with monthly checklist of SLA compliance and incident tracking | Drata or Vanta (₹2,00,000-5,00,000/year) – continuous vendor compliance monitoring |
- Marking too many vendors as critical: Many Indian MSMEs classify 80% of vendors as critical, which defeats the purpose. Be disciplined—critical means the business stops if they fail for more than a few hours.
- Not updating the vendor list regularly: The list is created and then forgotten. Six months later, you're still assessing vendors you fired last year. Assign someone to review it quarterly.
- Classifying vendors by spend instead of impact: A low-cost vendor handling your customer payment data is more critical than a high-cost raw material supplier that has substitutes. Don't confuse cost with criticality.
- Creating the classification but not using it: The list exists, but security requirements, SLAs, and contract terms are not different for critical vendors. This wastes the effort and creates no actual risk reduction.
- Assuming all software-as-a-service (SaaS) vendors are non-critical: Many Indian businesses underestimate the risk from cloud vendors (email, accounting software, customer databases). If your business would stop without it, it's critical.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 4(3) and Section 4(4) – organizations must identify and oversee processors and vendors who handle personal data; vendor security is your responsibility |
| CERT-In 2022 Directions | Direction 4 – requirement to oversee third-party/vendor security; vendors handling critical IT infrastructure must meet security standards |
| ISO 27001:2022 | Clause A.5.23 (Information security for supplier relationships) – requires identification, assessment, and monitoring of suppliers with access to information assets |
| NIST CSF 2.0 | GV.RO-01 (Governance) – identify, categorize, and manage risks from supply chain partners and external dependencies |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →