When vendors aren't discussed at management level, bad decisions get made quietly—like keeping a cloud provider with weak security because IT is comfortable with them, or continuing with a vendor after a data breach because no one told the MD. A real Indian scenario: a manufacturing company in Pune lost ₹40 lakhs when their logistics vendor's email was hacked and fake payment instructions were sent—the MD had never been briefed on that vendor's security practices. Without management visibility, you also fail compliance audits and lose customer trust when they discover you don't even know who handles their data.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no list of critical vendors and no meetings where vendor risks are discussed. Your MD finds out about vendor problems when customers complain or when something breaks.
Initial
You have a rough list of key vendors (maybe in an Excel sheet), but vendor security is only talked about in IT team conversations, never escalated to management unless there's already a crisis.
Developing
You have identified your top 5-10 critical vendors and someone documents major vendor issues informally, but there's no scheduled management discussion—it happens ad hoc when problems surface.
Defined
You hold quarterly management meetings specifically to review vendor risks, vendor security assessments are done at least once a year, and decisions are documented (e.g., 'approved continued use with remediation plan').
Managed
You have a formal vendor risk management policy, scorecards for each critical vendor (security, uptime, compliance), management reviews these monthly or quarterly with documented decisions and action items.
Optimised
You maintain a live vendor risk dashboard reviewed at every management meeting, conduct annual security audits or assessments for critical vendors, have contracts with SLAs and security clauses, and decisions are tracked with clear ownership and follow-up.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create a simple list of all vendors who handle customer data, company financials, or critical operations (e.g., cloud provider, payment processor, HR software, email hosting). Mark which ones are 'critical'. | IT person or owner | 1 day |
| 1 → 2 | Schedule a one-time meeting with MD/owner, finance head, and IT person to review the critical vendor list and discuss any known issues or concerns from the past 12 months. Document what was discussed and any action decided. | IT person (organise), MD (attend and decide) | 1 week to schedule and conduct |
| 2 → 3 | Set up a quarterly vendor risk review meeting (calendar recurring). Before each meeting, IT prepares a 1-page report on each critical vendor covering: any incidents, security updates checked, contract renewals due, compliance certifications. MD approves continuation or changes. | IT person (prepare report), MD (lead meeting) | 2-4 weeks to design template and prepare first report |
| 3 → 4 | Develop a Vendor Risk Assessment form (simple scoring: data handled, security certifications, uptime record, incident history). Assign each critical vendor a risk level (Low/Medium/High). Document approval from MD for each risk level and actions to reduce risk. | IT person (create form, assess vendors), MD (approve risk ratings) | 1-2 months including vendor outreach for security info |
| 4 → 5 | Automate vendor risk tracking (spreadsheet with conditional formatting or simple tool like Airtable). Add contractual clauses requiring annual security certification or audit. Implement quarterly security questionnaire for all critical vendors. Integrate vendor risk into MD's monthly business review. | IT person (maintain, send questionnaires), Contracts/Legal (add clauses) | Ongoing—4-6 hours per month |
Documents and records that prove your maturity level.
- List of critical vendors with justification for why they are critical (e.g., 'Cloud provider—hosts all customer data')
- Minutes or notes from at least one management meeting in the past year discussing vendor risks or vendor-related decisions
- Vendor Risk Assessment or scorecard showing security, uptime, and compliance evaluation for each critical vendor
- Records of vendor security information gathered (e.g., copies of ISO 27001 certs, SOC 2 reports, responses to security questionnaires)
- Evidence of management approval or sign-off on vendor continuance or changes (email, meeting minutes, or a simple approval log signed by MD)
Prepare for these questions from customers or third-party reviewers.
- "Who at management level (not IT team) is responsible for vendor risk decisions, and can you show me a recent example of when they made or approved a decision about a vendor?"
- "How often do you formally review vendor risks and with whom? Can you share the minutes from your last vendor risk review meeting?"
- "If a critical vendor suffered a security breach, how would your management find out and who would decide whether to keep using them or switch?"
- "Do you have documented security requirements or expectations for your vendors, and how do you verify vendors meet them?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Simple tracking of critical vendors, their risk level, and assessment status | Google Sheets or Excel with conditional formatting (red/yellow/green for risk levels) | Airtable (₹999/month) or Monday.com (₹2,000/month) |
| Creating and sending security questionnaires to vendors to gather info on their controls | Google Forms or Typeform free tier | Typeform paid or Jotform (₹500-1,500/month) |
| Storing and organizing vendor security documents (certs, audit reports, contracts) | Google Drive or OneDrive with folder structure and access control | Keepfile (₹5,000/year) or DocuBank (₹8,000-15,000/year) |
- Only discussing vendors when there's a crisis—MD doesn't hear about most vendors until something breaks, so no proactive risk management happens
- Confusing vendor risk discussion with vendor selection—you pick vendors based on cost, then never review them again; management should be involved in ongoing risk, not just initial choice
- Assuming IT will 'handle vendor security'—vendor risk has business, compliance, and financial impact, so IT alone cannot own it; must be management decision
- Not documenting decisions—verbal approval in a corridor meeting means no audit trail; document what was discussed and what management decided to do
- Using outdated or absent vendor security info—many Indian vendors haven't been asked for certifications before, so vendor list has no security data; you must actively collect this, not assume vendors will volunteer
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 5 (data fiduciary responsibilities) and Section 8 (data processor obligations)—requires you to ensure vendors handling personal data have adequate safeguards |
| CERT-In Guidelines 2022 | Direction 5 (access control and third-party risk management) and Direction 6 (audit and monitoring of vendors) |
| ISO 27001:2022 | Clause 5.1 (leadership commitment) and Annex A, Control A.5.22 (supplier relationships) |
| NIST CSF 2.0 | Govern (GV) function, specifically GV.RO-04 (management of third-party and supply chain risk) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →