If a vendor gets hacked or cuts corners on security, your customer data or business operations can be compromised—and YOU are liable. For example, a manufacturing business in Bangalore discovered their logistics vendor's email was breached, allowing an attacker to intercept payment instructions and divert ₹45 lakhs to a fake account. A retail chain lost customer trust when a POS system vendor's negligence exposed payment card details. Without regular vendor reviews, you won't know these risks exist until damage is done, and you could face regulatory fines under DPDP Act if customer data is leaked through a vendor's carelessness.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no documented list of vendors or their security status. When asked about vendor security, you name a few but admit you don't formally track them or their security practices.
Initial
You have a basic list of critical vendors written down (email, spreadsheet, or notebook), but you've never formally assessed their security or asked them for security information.
Developing
You have a documented vendor list and you've asked some vendors for basic security information (like whether they have firewalls or antivirus), but you haven't done a formal assessment in writing and it's ad-hoc.
Defined
You have a formal vendor list, a simple security questionnaire you send to all vendors, and you review responses annually; you document which vendors passed and which need improvement.
Managed
You have a detailed vendor risk assessment process graded by criticality, you review vendors semi-annually or when major changes occur, and you have written agreements requiring them to notify you of breaches within 72 hours.
Optimised
You conduct continuous vendor monitoring (automated alerts, third-party risk monitoring tools), perform regular security assessments including on-site audits for critical vendors, and have an active incident response plan that includes vendor breach scenarios.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create a simple spreadsheet listing all vendors you depend on for IT, data handling, operations, or customer service. Include their contact person, service provided, and date added. | Business owner or IT manager | 1–2 days |
| 1 → 2 | Design a basic one-page vendor security questionnaire (10–15 questions: Do you have firewalls? Data encryption? Backup systems? Incident response plan?). Email it to all vendors and collect responses. | IT manager or outsourced IT consultant | 1 week |
| 2 → 3 | Formalize the process: create a vendor risk register with scoring (critical/medium/low), document questionnaire responses, assign one person to own vendor reviews, and schedule annual review dates in your calendar. | IT manager or compliance officer | 2–4 weeks |
| 3 → 4 | Upgrade vendor agreements to include breach notification clauses (72 hours), data protection requirements, and audit rights. Implement a semi-annual review cycle with documented sign-offs. | IT manager with HR/legal input | 1–2 months |
| 4 → 5 | Subscribe to a vendor risk monitoring service, implement automated alerts for vendor security incidents, and conduct annual on-site security reviews for top-3 critical vendors. Integrate vendor risk into your incident response playbook. | IT manager or security officer | Ongoing (quarterly reviews, quarterly vendor monitoring checks) |
Documents and records that prove your maturity level.
- Dated vendor inventory spreadsheet or register listing all IT, cloud, outsourcing, and supply-chain vendors with last review date
- Completed vendor security questionnaire responses (dated within last 12 months) from at least 80% of critical vendors
- Documented vendor risk assessment or scoring sheet (e.g., criticality level, risk rating, remediation status)
- Signed or dated vendor agreements that include security, data protection, and breach notification clauses
- Annual vendor security review report or meeting minutes dated within the last 12 months, showing which vendors were reviewed and any actions taken
Prepare for these questions from customers or third-party reviewers.
- "Walk me through your vendor list and tell me when each vendor was last security-assessed."
- "Do you have any written agreements with vendors about data security and breach notification timelines?"
- "Has any vendor had a security incident or breach in the past 12 months, and if so, how did you respond?"
- "How often do you review vendor security, and do you have documented evidence of that review (e.g., meeting notes, assessment forms)?"
- "If a critical vendor (e.g., your cloud provider or payment processor) gets hacked, what's your plan to detect it and notify your customers?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Track vendors and document security assessments | Google Sheets or Microsoft Excel (with shared access; add columns for vendor name, service, review date, risk level, notes) | Airtable (₹800–1,200/month for small teams) or Notion (₹1,000/month for workspace) |
| Monitor vendor security incidents and breaches | Google Alerts (set alerts for each vendor's name + 'breach' or 'security incident') or CERT-In advisories (cert-in.org.in) | Everbridge (vendor risk module, ₹2–5 lakhs/year) or SecurityScorecard (₹3–8 lakhs/year) |
| Create and send vendor security questionnaires | Google Forms or Typeform (free tier; send standard security questions to vendors) | SurveySparrow (₹3,000–8,000/month) or Qualtrics (enterprise pricing) |
- Only reviewing vendors when something goes wrong, instead of doing scheduled annual or semi-annual reviews; by then, the damage is often done.
- Asking vendors a one-time questionnaire and then never following up; vendor security practices change, new staff may not follow old policies, and breaches happen undetected.
- Treating all vendors as equally risky; you should prioritize reviews for vendors who handle customer data, payments, or critical operations (e.g., cloud hosts, payment gateways, logistics), not just minor service providers.
- Not including security clauses in vendor contracts because you think it's 'too formal' for a small business; when a breach happens, you have no legal recourse and no right to audit or demand notification.
- Relying only on vendor self-assessment; many Indian vendors don't have formal security programs and may not know whether they're truly secure, so asking them questions is necessary but not sufficient—check references and public breach databases.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (data fiduciary obligations to ensure data processor security) and Schedule 2 (security safeguards including vendor oversight) |
| CERT-In 2022 Directions | Direction 3 (IT security guidelines for entities handling critical infrastructure) emphasizes vendor risk management |
| ISO 27001:2022 | Annex A.5.19 (supplier relationships) and A.5.23 (information security for supplier relationships) |
| NIST CSF 2.0 | Govern (GV.RO-04: Supply chain risk is identified and managed) and Protect (PR.SL-01: Third-party risks are identified and managed) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →