HomeGuidesSupply-Chain Security › SCS-11
SCS-11 Supply-Chain Security 8% of OML score

Are new vendors reviewed before being given access to systems or data?

Before you let a new vendor (supplier, contractor, software company, or service provider) access your computers, files, or customer data, do you check them out first? This question asks whether you have a process to evaluate vendors for trustworthiness and security practices before giving them the keys to your systems.

Why This Matters to Your Business

If you skip vendor checks, you could hire someone who steals data, installs malware, or locks you out of your own systems—and by then they're already deep inside your business. A manufacturing company in Bangalore hired a local IT contractor without vetting; he copied their CAD designs and sold them to a competitor, costing ₹2 crore in lost intellectual property. Regulators like CERT-In now expect you to prove you screened vendors, and customers (especially large ones) will audit you and stop working with you if you can't show you did. An unvetted vendor is like giving a stranger your house keys without asking who they are.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You add new vendors whenever someone asks, with no checks at all. Your boss or staff just give access because the person seems nice or came with a referral from someone you know.

Level 1
Initial

You sometimes ask for a company name and phone number before hiring a vendor, but there's no written process and it happens inconsistently. One person might vet a vendor; another person might skip it entirely.

Level 2
Developing

You have a simple one-page vendor checklist that asks for company details, references, and insurance, and someone signs off on it before access is given. The checklist exists but isn't always followed, and you don't keep records consistently.

Level 3
Defined

You have a documented vendor review process that is always followed: you check company registration, GST status, references, ask about their security practices, and keep signed approval records. Vendors are only given minimal access at first and only what they need for their job.

Level 4
Managed

Your vendor process includes background checks (where legal), security questionnaires, and reviews of their own cybersecurity practices; contracts require confidentiality and data protection clauses; access is logged and reviewed quarterly. You maintain a vendor risk register and re-check high-risk vendors annually.

Level 5
Optimised

Vendor screening is fully automated with a risk-scoring system; third-party security assessments are required; continuous monitoring happens during the vendor relationship; security incidents involving vendors trigger automatic access suspension; you have documented vendor lifecycle management from onboarding to offboarding.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Write down on a single sheet the basic questions you will ask every new vendor: company name, registration number, years in business, and one reference contact. Print it out and stick it on the wall by the office phone. Business Owner or Office Manager 2-3 hours, one day
1 → 2 Create a simple one-page Vendor Approval Form asking for: company details, GST/PAN, insurance proof (if applicable), two references, and sign-off by the manager. Keep a folder (physical or digital) with copies of every form filled out. Make it a rule that no vendor gets access without a signed form. HR Lead or Office Administrator with Boss approval 3-5 days to design and pilot; then ongoing
2 → 3 Upgrade the form into a documented Vendor Assessment Policy: include questions about security (Do you have antivirus? Do you handle confidential data securely?), require written manager approval before access, define what 'access' means (email, office network, customer data, etc.), and create an Access Request form that links to the vendor assessment. Train all staff who hire vendors on this process. Compliance Owner or IT Manager with Management approval 2-4 weeks including staff training
3 → 4 Create a Vendor Risk Register spreadsheet that tracks: vendor name, risk level (low/medium/high based on access type and data handled), contract renewal date, last security review, and any incidents. Add to contracts a clause requiring vendors to notify you of security breaches within 24 hours. Implement quarterly vendor access reviews and document them. Compliance Owner or Security Lead 1-2 months to design, implement, and review first batch
4 → 5 Integrate vendor screening into a dashboard tool that flags high-risk vendors automatically; require all medium- and high-risk vendors to submit security questionnaires or certifications; set up alerts if vendor access is unused for 60+ days; conduct annual re-assessments; integrate vendor incidents into your security incident response plan. IT Manager or dedicated Compliance role Ongoing quarterly reviews and continuous monitoring
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Vendor Assessment Form or Checklist (signed copy) for every active vendor, kept in a central file or folder
  • Vendor Risk Register or spreadsheet listing all vendors, their access level, date of last review, and risk rating
  • Signed vendor access request approvals showing manager review before system access was granted
  • Contracts or signed agreements with vendors that include confidentiality and data protection clauses
  • Evidence of at least one vendor re-check (e.g., reference call notes, updated security questionnaire, or annual review document)
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Show me your process for approving new vendors before they get access to systems or data. Do you have a documented policy or form?"
  • "Who was the last vendor you onboarded? Walk me through exactly what checks you did before giving them access, and show me the paperwork."
  • "What questions do you ask vendors about their own security practices—do you have a questionnaire or checklist?"
  • "How do you ensure vendors only get access to what they actually need for their job, and how do you remove their access when they leave?"
  • "Have you ever had a vendor cause a security issue or leak data? If so, what happened and what did you change as a result?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Simple form to collect vendor information and approval sign-offs Google Forms (linked to Google Sheets for automatic record-keeping) or Microsoft Forms Jotform (₹1,500–5,000/year depending on submissions) or Typeform
Spreadsheet to track vendors, risk levels, and review dates Google Sheets or Microsoft Excel (on OneDrive for backup) Airtable (₹1,200–6,000/year) for more advanced vendor database features
Send security questionnaires to vendors and collect their responses Google Forms or email with attached Word/PDF document Vendormate or SecurityScorecard (starting ₹50,000+/year, usually for larger businesses)
Store and organize vendor contracts and approvals securely Google Drive with folder structure and access controls Sharepoint (via Microsoft 365 at ₹3,000–8,000 per user/year) or Box (₹2,000–8,000/user/year)
Set reminders for vendor access reviews and contract renewals Google Calendar with shared reminders or Trello board Monday.com (₹2,000–8,000/month) or Asana (₹1,500–6,000/month)
🛡
How This Makes You More Resilient
When you screen vendors before they access your systems, you catch risky ones before they can cause damage—stopping data theft, malware installation, or accidental exposure of customer information before it happens. Your business stays operational and your customer trust stays intact, rather than facing weeks of disruption, expensive incident response, and regulatory fines. You're also ready if an auditor or major customer asks to prove you took care in choosing who touches your data.
⚠️
Common Pitfalls in India
  • Trusting vendors based only on personal referrals ('He's my cousin's friend, he's trustworthy') without any formal checks—this is the most common gap in Indian MSMEs and leaves you exposed.
  • Asking vendors to sign NDAs but not checking whether they actually have security practices to protect confidential data, leading to accidental leaks by careless vendors.
  • Giving vendors full system access on day one instead of limiting them to only what they need, so if they turn out to be risky, the damage is already huge.
  • Forgetting to remove vendor access after the project ends, leaving inactive accounts that can be exploited or abused later.
  • Assuming that because a vendor has a fancy website or big-company clients, they are secure—many ransomware attacks start via vendors who looked professional but had no real security controls.
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 8 (consent), Section 9 (transparency), and Schedule 2 (consent rules requiring disclosure of third parties who will process data)
CERT-In Directions 2022 Direction 2(d) on securing networks against unauthorized access, and implicit in critical information infrastructure (CII) vendor management expectations
ISO 27001:2022 Clause 8.4 (supplier relationships) and Annex A.5.17 (supplier security)
NIST CSF 2.0 Govern function - GV.RO-01 (roles and responsibilities for third parties) and GV.RM-01 (vendor/supplier risk management)

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →