If a vendor handling your data gets breached, your customers' personal information (names, phone numbers, addresses, payment details) can be stolen and sold, leading to loss of customer trust and potential legal action against you. An Indian manufacturing business that outsources payroll processing discovered their payroll vendor's servers were hacked, exposing employee salary details and bank information—the business faced employee lawsuits and couldn't meet compliance requirements. You could face regulatory fines under DPDP Act 2023 because you failed to ensure the vendor met basic security standards. Your ability to win large contracts from bigger companies or e-commerce platforms depends on proving you control vendor security—without this, you lose business opportunities.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You don't know which vendors have access to your data or what they do to protect it. Your team shares login credentials, spreadsheets, or files with vendors via WhatsApp or personal email without any agreement about how they'll keep it safe.
Initial
You have a rough list of vendors and you know they handle some of your data, but you've never asked them formal questions about their security practices. You may have signed a basic agreement, but it doesn't mention data protection or security requirements.
Developing
You have a documented list of all vendors who access your data and you've sent them a simple questionnaire or checklist asking about basic security (password policies, antivirus, backups). You keep their responses in a file, but you don't formally review or update them.
Defined
You have a formal vendor assessment process where you collect and review security information from all critical vendors using a standard questionnaire. You document which vendors handle sensitive data (customer records, financial data, intellectual property) separately from those handling general data.
Managed
You conduct annual or bi-annual security reviews of critical vendors, require them to provide evidence (like security certifications or audit reports), and update their risk ratings. You have a contractual requirement that vendors notify you of any security incidents within 72 hours.
Optimised
You maintain an active vendor risk management program with continuous monitoring, periodic security audits or assessments of high-risk vendors, documented incident response procedures with vendors, and you evaluate vendor security performance as part of contract renewal decisions. Your team regularly communicates security updates and threats to vendors and tracks their remediation efforts.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create a simple spreadsheet listing all vendors who have access to any of your business data (cloud storage, email, accounting software, payroll, design files, customer databases, etc.) and note what type of data each one can see. | Business owner or office manager | 1-2 days |
| 1 → 2 | Prepare a basic vendor security questionnaire (10-15 simple questions about password security, backups, antivirus, whether they encrypt data, how they control employee access) and send it to all vendors on your list. Store their responses in a folder. | IT person or business owner | 1 week |
| 2 → 3 | Classify vendors into three groups: Critical (access to customer data, financial data, or IP), Important (access to operational data), Low-risk (general services). Create a formal vendor security assessment template and require signed confirmation of security practices from all Critical vendors. Document your risk assessment. | IT person with business owner input | 2-3 weeks |
| 3 → 4 | Develop a vendor security agreement or add security clauses to your vendor contracts requiring them to maintain basic security controls, notify you of breaches within 72 hours, and allow you to audit their security practices. Request security certifications or third-party audit reports from critical vendors. | Business owner with legal advisor | 1-2 months |
| 4 → 5 | Implement annual vendor security reviews, create a tracking system for vendor incidents and remediation, establish a vendor risk scoring methodology, and integrate vendor security performance into contract renewal discussions. Conduct periodic security audits (annual or biennial) of your highest-risk vendors. | IT person with business owner oversight | Ongoing (2-4 hours per month) |
Documents and records that prove your maturity level.
- A documented list or spreadsheet of all vendors with access to your business data, including the type of data each vendor can access
- Signed vendor security questionnaire responses or security assessment forms from at least your critical vendors
- A vendor risk classification document showing which vendors are Critical, Important, or Low-risk based on the data they access
- Evidence of vendor communication: copies of emails or signed agreements where vendors commit to security practices, breach notification timelines, and audit rights
- A vendor security review record from the last 12 months showing you contacted vendors, received updates, and documented their security status
Prepare for these questions from customers or third-party reviewers.
- "Can you show me the list of all vendors and third parties who have access to your customer data or sensitive business information?"
- "What questions did you ask these vendors about how they protect the data you share with them, and what were their responses?"
- "How do you know if a vendor's security practices are adequate? Do you have any criteria or checklist you use to assess them?"
- "If a vendor suffered a data breach, how would you find out? Do they have any obligation to tell you, and within what timeframe?"
- "How often do you review vendor security practices, and what do you do if you find they don't meet your standards?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and manage vendor security questionnaires and track responses | Google Forms + Google Sheets (no cost, basic but effective for small businesses) | OneTrust or similar vendor risk management platforms (₹50,000–200,000/year; overkill for most MSMEs) |
| Maintain a simple vendor risk register and assessment tracker | Excel/Google Sheets with custom templates (sufficient for small businesses) | Vanta or Drata vendor modules (₹100,000–300,000/year; primarily for startups with compliance requirements) |
| Create contracts with vendor security clauses and track signed agreements | Free templates from NASSCOM or similar Indian business groups; use Google Docs for tracking | Legal document management tools like DocuSign or Zoho Sign (₹2,000–10,000/year) |
- Assuming a vendor is secure because they're a well-known brand or because they operate at large scale—large vendors can have weak internal security practices, and brand size doesn't guarantee data protection.
- Signing vendor contracts without reading or negotiating data security clauses, or not requiring vendors to agree to breach notification timelines—when a breach happens, you won't know until weeks later, by which time damage is already done.
- Treating all vendors the same and not prioritizing assessment of vendors who handle the most sensitive data (customer information, payment details, intellectual property)—you waste effort assessing low-risk vendors while missing critical risks.
- Not updating vendor assessments after initial sign-up—vendors change their systems, move to new cloud platforms, or reduce security investments over time, but you never check again.
- Collecting vendor security questionnaires but never actually reviewing them or following up when they indicate poor security practices—this creates false confidence without reducing actual risk.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 6 (processor obligations); Section 8 (consent); Section 13 (data breach notification requirement) |
| CERT-In 2022 Guidelines | Security audit recommendation for third-party and vendor risk management |
| ISO 27001:2022 | A.5.19 (Contacts with authorities); A.5.20 (Contacts with special interest groups); A.5.23 (Information security for supplier relationships) |
| NIST CSF 2.0 | Govern (GV) domain: GV.RO (Risk and Oversight); Protect (PR) function: PR.AC (Access Control) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →