Free Risk Register
Contact Us Free Risk Register

How to Do a Supplier Security Assessment

A step-by-step guide to conducting a supplier security assessment — what to ask, how to score responses, and how to manage supplier risk without drowning in spreadsheets.

Your organisation's security is only as strong as the weakest link in your supply chain. That's not just a cliché — it's the reason ISO 27001, Cyber Essentials Plus, and UK GDPR all require you to assess the security posture of the third parties you work with.

If a supplier has access to your systems, handles your customer data, or provides critical services to your business, their security failures become your security failures. The SolarWinds breach, the MOVEit vulnerability, and countless smaller incidents all followed the same pattern — an attacker found a way in through a trusted third party.

A supplier security assessment is how you understand and manage that risk before it becomes a problem.

What is a supplier security assessment?

A supplier security assessment is a structured process for evaluating how well a supplier protects the information and systems they handle on your behalf. It typically involves sending a questionnaire to the supplier, reviewing their responses and any supporting evidence, scoring the risk they represent, and deciding what to do about any gaps you find.

For most small and mid-sized businesses, a supplier security assessment doesn't need to be a lengthy audit process. A well-designed questionnaire covering the key risk areas, combined with a consistent scoring approach, is enough to give you a defensible view of your supply chain risk.

Who should you assess?

Not every supplier needs the same level of scrutiny. Before you start sending questionnaires, categorise your suppliers by the risk they represent.

High risk suppliers are those who have access to sensitive data, process personal data on your behalf, have administrative access to your systems, or provide services you depend on to operate. These suppliers need a full assessment.

Medium risk suppliers have limited access to your systems or data, or provide services that are important but not critical. A lighter touch questionnaire is appropriate here.

Low risk suppliers provide commoditised services with no meaningful access to your data or systems — office supplies, catering, facilities management. These typically don't need a formal security assessment at all.

What to include in a supplier security questionnaire

A supplier security questionnaire should cover the following areas:

Information security management

  • Does the supplier have a documented information security policy?
  • Do they hold ISO 27001 certification or equivalent? If so, who is their certifying body?
  • Do they have a named individual responsible for information security?
  • When was their information security policy last reviewed?

Access controls

  • How do they control access to systems that hold your data?
  • Do they enforce multi-factor authentication on systems that process your information?
  • How do they manage and revoke access when employees leave?
  • Do they apply the principle of least privilege when granting access?

Data handling and protection

  • Where is your data stored — on-premise, cloud, or third party hosted?
  • Is data encrypted at rest and in transit?
  • Do they have a documented data retention and disposal policy?
  • Have they completed a data protection impact assessment where required?

Vulnerability and patch management

  • How do they identify and manage security vulnerabilities in their systems?
  • What is their process for applying security patches and updates?
  • Do they conduct regular vulnerability scanning or penetration testing?

Incident management

  • Do they have a documented incident response plan?
  • How would they notify you in the event of a security incident affecting your data?
  • Have they experienced any security incidents or data breaches in the last 24 months?

Business continuity

  • Do they have a business continuity plan that covers the services they provide to you?
  • How quickly could they restore services following a major incident?
  • When was their business continuity plan last tested?

Sub-processors and fourth parties

  • Do they use any sub-processors or third parties to deliver the service they provide to you?
  • If so, how do they assess and manage the security of those sub-processors?

How to score supplier responses

Once a supplier returns their questionnaire, you need a consistent way to assess their responses. A simple scoring approach works well for most small businesses.

For each question, score the response as one of three ratings — satisfactory, requires improvement, or unsatisfactory. Weight the scores based on the risk category of the question. Access controls and data handling questions should carry more weight than general policy questions.

Once you have an overall score, categorise the supplier into one of three risk tiers — low risk, medium risk, or high risk. Your response to each tier should be defined in advance:

Low risk — accept and monitor annually. Medium risk — accept with conditions, request remediation of key gaps within an agreed timeframe. High risk — escalate to senior management, consider whether the relationship should continue or whether contractual protections need strengthening.

What to do with the results

A supplier security assessment is only valuable if you act on what you find. Common actions following an assessment include requesting a remediation plan from suppliers with significant gaps, updating your supplier contracts to include security obligations, adding higher risk suppliers to a more frequent review cycle, or in serious cases reconsidering the supplier relationship entirely.

Make sure every assessment is documented and stored somewhere you can find it. If you're working toward ISO 27001 certification, your auditor will want to see evidence that you assess supplier risk systematically — not just that you sent a questionnaire once.

How often should you reassess suppliers?

At a minimum, high risk suppliers should be reassessed annually. Medium risk suppliers every two years. You should also trigger a reassessment whenever there is a significant change — the supplier is acquired, they experience a public security incident, they change the systems or processes they use to deliver your service, or you significantly increase the scope of what they do for you.

Managing supplier assessments at scale

If you have more than a handful of suppliers, managing this process on spreadsheets becomes painful quickly. Tracking which suppliers have been assessed, when they're due for reassessment, which ones have outstanding remediation actions, and where your questionnaire responses are stored — across multiple files and email threads — is exactly the kind of thing that falls through the cracks.

SnapGRC's supplier management module lets you build your supplier register, send security questionnaires automatically, track responses, score risk, and set review reminders — all in one place. If you're managing supplier risk manually right now and want to see a better way, you can explore how SnapGRC handles supplier management here or book a free demo.

If you're just getting started and want a template to work from, our free risk assessment template is a good place to begin before you move to a dedicated platform.

Tags:
Supplier Risk Management

Related Articles

Knowledge Base Image
IT Governance Alternatives UK — The Best Options for Small Businesses in 2026

Looking for IT Governance alternatives in the UK? Here's how the main options compare for small bus…

Read More
Knowledge Base Image
Vanta Alternative for Small Business: What to Use Instead

Vanta is a well-built compliance platform. It's also, by most accounts, priced for companies that c…

Read More
Knowledge Base Image
Drata Alternative for Small Business: What to Use Instead

Drata is one of the most well-regarded compliance automation platforms on the market.

Read More

Copyright © 2025 SnapGRC