Third-party vendor security risk management programme
as a continuous workflow on the engagement record, not a one-off spreadsheet per renewal

When the vendor assessment is owned by procurement and the security team is only consulted at onboarding, the cycle becomes a deal-closing checkbox rather than an ongoing programme. The recertification cadence slips because no one on the procurement side reads the SOC 2 expiry calendar. The vendor incident notification never reaches the named risk owner. The programme produces an onboarding artefact and nothing else. Running vendor risk as a continuous workflow on the engagement record gives security ownership of the cycle the procurement record alone cannot sustain.

Vendor questionnaires are self-attested. The SOC 2 report, ISO 27001 certificate, and pentest report are the assessor-validated evidence the questionnaire claims have to reconcile against. Programmes that score the questionnaire without reading the attestations approve vendors whose self-attested controls do not match the qualified opinion in their SOC 2 report. The discipline is reading both layers and recording the gap between them as a structured finding on the engagement rather than absorbing the discrepancy as analyst judgement.

A tier-3 low-risk vendor becomes a tier-1 production-data processor when the buying organisation expands the use case, integrates a new API, or migrates more workloads. Programmes that tier vendors at onboarding and never revisit miss the migration and continue to assess the relationship at the original tier. The cadence, the evidence requirements, and the approval ladder all stay misaligned with the actual risk exposure. Periodic tier-review against the live integration map is part of the programme, not a one-off onboarding event.

The vendor SOC 2 report is the assessor-validated control evidence for the vendor service. Your own SOC 2 audit reads the vendor relationship through subservice organisation controls or carved-out controls. They are different artefacts in different audits. Programmes that paste vendor SOC 2 reports into their own audit evidence pack without recording the complementary user entity controls (CUECs) overstate their own coverage. The discipline is mapping vendor CUECs onto the buyer-side control library so the audit chain stays defensible.

Vendors change sub-processors (a SaaS supplier adopts a new infrastructure provider, a payments processor adds a fraud-detection partner, an AI model provider switches inference backends). Each change introduces fourth-party risk into the buying organisation. Programmes that read sub-processor lists only at annual recertification miss disclosures the vendor made via email in between. The intake rule has to capture sub-processor change notifications as in-cycle findings on the engagement so the residual rating gets a refresh trigger rather than waiting for the next cycle.

The vendor risk register reads the residual rating, the open commitments, and the exception backlog by vendor. The wider enterprise risk register reads the risk landscape by business risk theme (data protection, operational resilience, third-party concentration, regulatory exposure). Programmes that operate the two registers independently end up with vendor risks that no enterprise risk theme tracks. The reconciliation cadence rolls vendor-level findings into enterprise risk themes so the audit committee reads one risk picture rather than two parallel views.

How a new vendor enters the programme: the named business owner inside the buying organisation, the named security counterpart on the vendor side, the contract reference, the data-handling scope, the system-impact scope, the proposed assessment tier, and the requested evidence list. Without an intake rule, vendors get onboarded by procurement before the security team sees the contract, and the first assessment cycle catches up with a production deployment already in flight.

The tiering definition: tier 1 for data-processing or production-access vendors, tier 2 for limited-scope vendors that touch internal systems but not customer data, tier 3 for low-risk vendors. Tiers carry their own cadence, evidence requirements, approval ladder, and notification expectations. Programmes that operate one cadence for every vendor either overspend on tier 3 assessment effort or underspend on tier 1 attestation freshness.

How recent each attestation has to be to support an approval: SOC 2 Type II reports within the documented window, ISO 27001 certificates with a documented surveillance audit since last cycle, penetration test reports within the documented test cadence, SBOMs updated against the current product version, sub-processor lists with a documented review date. Programmes that stockpile stale attestations create audit-cycle scrambles; programmes with a freshness policy refresh evidence before the auditor reads it.

Who signs off on what: tier 1 vendors at medium or higher residual require security director and business owner co-sign, tier 2 vendors at high residual require the same, tier 3 vendors at low residual approve by the GRC reviewer alone. The ladder lives on the engagement record so role changes, vacation cover, and reorganisations land as a single mapping update rather than a per-vendor propagation problem.

How vendor security incidents enter the programme: notification intake within the documented hours, the buyer-side response action recorded on the engagement, the vendor remediation commitment captured as a finding with a target date, and the closure evidence required before the commitment is marked complete. Programmes that record notifications without commitment tracking cannot demonstrate continuous monitoring under NIS2 Article 21, DORA Article 28, or NIST SP 800-161 expectations.

How a vendor relationship closes: the trigger event, the data-return or data-destruction attestation with named signatory, the credential-revocation evidence with timestamp, the access-removal evidence covering both human and service accounts, the sub-processor unwind plan, and the post-exit retention obligations recorded against the engagement. Without an exit rule, decommissioning happens silently and the audit lookback cannot demonstrate the supplier relationship closed on a documented baseline.

Vendor risk management depends on control mapping cross-framework crosswalks (the canonical control library that vendor attestations map onto), compliance audits (the assessor-facing event that reads the supplier control set), third-party penetration test report intake (the operational workflow for a single vendor pentest report), and audit evidence retention and disposal (the lifecycle that keeps the underlying attestations available with the right freshness).

Vendor risk findings roll up into the security leadership reporting workflow where vendor coverage, attestation freshness, and incident notification volume become headline indicators on the monthly and quarterly leadership cadences. The exception management workflow holds the granted exceptions the residual rating references when a vendor is approved with conditions, the outbound questionnaire response workflow uses the same control library in reverse, and the SBOM management and VEX publishing workflow consumes inbound vendor SBOMs as part of the assessment evidence.

Vendor tiers are reviewed against the live integration map and updated when use cases expand. A tier-3 vendor that grows into a tier-1 production data processor gets re-tiered and the cadence, evidence requirements, and approval ladder shift with the tier change rather than staying anchored to onboarding.

The freshness policy is enforced at intake. Stale SOC 2 reports, lapsed ISO 27001 certificates, and aged pentest reports trigger a re-request before they reach the recommendation. The audit-cycle scramble that comes from stockpiled attestations stays in the past.

Qualified opinions, vendor pentest findings, sub-processor changes, and incident notifications all land as structured findings on the vendor engagement with named owners and target dates. The next recertification reads the prior commitments rather than rediscovering the same gap.

The vendor record, the engagement-per-cycle, the attestation freshness register, the approval ladder, the incident notification log, and the exit engagement all read from the live record. ISO 27001, SOC 2, PCI DSS, NIST SP 800-161, NIS2, and DORA reads resolve from one record rather than a multi-system reconciliation sprint.