Vendor Security Review
Definition
A vendor security review is a structured evaluation of a third party’s security and privacy practices to determine whether using that vendor introduces unacceptable risk to an organization’s systems, data, and operations. In a SOC 2 context, it supports the service organization’s responsibilities for managing risks arising from vendors and subservice organizations that can affect the relevant trust services criteria (such as security, availability, confidentiality, processing integrity, or privacy). A vendor security review typically includes risk tiering, scoping of services and data flows, review of security documentation and independent assurance reports, validation of key controls (for example, access control, encryption, incident response, vulnerability management, and business continuity), and documented decisions such as remediation requirements, compensating controls, or risk acceptance. The output is evidence that due diligence was performed, risks were assessed and tracked, and vendor commitments (including security requirements and notification obligations) are monitored over time. Comparable concepts exist in other assurance and governance approaches under third-party risk management, supplier security assessments, and outsourced service provider due diligence.
Real-World Examples
Startup SaaS procurement review
Before purchasing a new SaaS tool, the team reviews a security questionnaire, access model, encryption, and incident reporting terms.
Enterprise high-risk vendor assessment
A high-risk vendor handling sensitive data is tiered for deeper review, including assurance reports, penetration test summaries, and business continuity and disaster recovery evidence.
Ongoing monitoring and reassessment
Vendors are reassessed annually and upon major changes, with remediation tasks tracked until closure or formally accepted as residual risk.
A vendor security review is a due diligence process to evaluate a third party’s security controls, data handling, and operational resilience before and during the relationship.
A vendor security review focuses on security evidence and controls, while a vendor risk assessment combines that input with business impact, data sensitivity, and exposure to assign overall risk.
Common steps include vendor tiering, scoping services and data, collecting evidence, evaluating control gaps, documenting decisions, requiring remediation or compensating controls, and scheduling reassessments.
Typical requests include security policies, independent assurance reports, incident response and business continuity and disaster recovery summaries, vulnerability management evidence, and details on access control, encryption, and subcontractors.
Include questions on data flows, authentication and authorization, encryption, logging and monitoring, incident response, change management, secure development, resilience, and how the vendor manages subcontractors.
Reassessment frequency is usually risk-based (for example annually for high-risk vendors) and should also occur after material changes, security incidents, or major scope expansions.
Tiering typically considers data sensitivity, system access level, business criticality, regulatory exposure, and the vendor’s ability to impact confidentiality, integrity, or availability.
Validate scope and period, confirm relevant trust services criteria, review complementary user entity controls, assess exceptions and testing results, and map any gaps to required remediation or compensating controls.
Red flags include unclear data processing practices, weak access controls, missing incident notification commitments, limited logging, unresolved high-risk findings, and reliance on unassessed subcontractors.
Track issues as dated remediation actions with owners and due dates, collect closure evidence, and document risk acceptance with rationale, approvals, and review cadence for any residual risk.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-26 | WatchDog Security GRC Wiki Team | Initial publication |
