How-to Playbook

How to run a vendor security review

Your security is only as strong as the vendors you trust with data. Here is how to assess them by risk tier without drowning every vendor in the same questionnaire.

Talk to usFree to start - no card required.

Why you tier vendors first

Sending every vendor the same 200-question assessment wastes everyone time and buries the real risks. A vendor that stores your customer data deserves far more scrutiny than one that sells you office supplies. Tiering by the sensitivity of data and the criticality of the service focuses your review where it actually matters.

Tiering by risk

TierExampleDepth of review
CriticalProcesses customer PII or runs core infrastructureFull review + SOC 2, pen test, ongoing monitoring
ModerateHandles internal dataQuestionnaire + certification review
LowNo sensitive data accessLightweight check, periodic recheck
A simple vendor risk tiering

The review process

  1. 1Classify the vendor by data sensitivity and business criticality to set the tier.
  2. 2Request tier-appropriate evidence - SOC 2 report, ISO certificate, pen-test summary, or a questionnaire.
  3. 3Assess the evidence against your requirements and note any gaps.
  4. 4Track findings and required remediations with owners and due dates.
  5. 5Approve, approve with conditions, or reject - and record the decision.
  6. 6Re-review on a schedule and monitor for changes in the vendor posture.

How SentriAI runs vendor reviews

  • Vendor risk management tiers vendors and tracks the evidence and findings for each.
  • Reviews, remediations, and approvals carry owners, due dates, and an audit trail.
  • AI vendor risk management flags gaps and changes so critical vendors are monitored, not just reviewed once.
  • Vendor posture feeds the same risk register and continuous monitoring as your internal controls.

Frequently asked questions

What is a vendor security review?

It is the process of assessing a third-party vendor security posture before and during a relationship - reviewing certifications, questionnaires, and test results to decide whether trusting them with data or systems is acceptable. Tiering vendors by risk focuses the depth of review where the exposure is greatest.

How should I tier vendors for review?

By data sensitivity and business criticality. Vendors that process customer PII or run core infrastructure are critical and warrant a full review with ongoing monitoring. Those handling internal data get a questionnaire and certification check, and low-risk vendors with no sensitive access get a lightweight review.

What evidence should I request from vendors?

It depends on the tier. Critical vendors should provide a SOC 2 report, relevant certifications like ISO 27001, and often a penetration-test summary. Moderate vendors can be covered by a security questionnaire plus certifications. Match the evidence to the risk rather than sending everyone the same request.

How often should vendor reviews be repeated?

At least annually for meaningful vendors, and more often for critical ones. Because certifications lapse and postures change, point-in-time reviews leave gaps. Continuous monitoring of critical vendors catches a breach or an expired certification between scheduled reviews, when risk most often shifts.

Stay in the loop

One practical finance briefing a week - new guides, checklists, and benchmarks.

 

Review vendors by real risk

SentriAI tiers vendors and monitors the critical ones continuously. Free to start, no card required.

Talk to us