All Tools

Vendor Risk Calculator

Rate a third-party vendor's risk from the data they access, the certifications they hold, and how critical they are to your business. The risk tier and recommended due diligence update live as you choose.

Vendor name (optional, used in your summary)

What data does this vendor access?

How deep is their access to your systems?

How critical are they to operations?

Security certification / assurance

Vendor risk tier

Medium

0 / 100 risk points

Recommended due diligence

How the score works, and its limits. We assign points across four factors: data sensitivity, depth of system access, business criticality, and certification status. Higher points mean higher inherent risk. A recognized, reviewed certification reduces the score because it is independent evidence of controls. This is a triage aid to help you right-size due diligence, not a substitute for a real vendor assessment. It does not account for the vendor's geography, breach history, or fourth-party dependencies, all of which can matter.

Questions

What makes a vendor high risk?

The biggest drivers are how sensitive the data they access is, how deeply they integrate with your systems, and how critical they are to operations. A vendor with broad access to customer data and no recognized certification is the classic high-risk case.

Do certifications like SOC 2 lower vendor risk?

Yes. A current SOC 2 Type II or ISO 27001 report is independent evidence that the vendor operates real controls, so it lowers the residual risk. It does not eliminate it, and you should still review the report and any exceptions.

How should I use the risk tier?

Use it to right-size due diligence. Low-risk vendors may need only a basic review, while high-risk vendors warrant a security questionnaire, evidence review, contractual security terms, and periodic reassessment.

How often should vendors be reassessed?

Reassess high-risk vendors at least annually and whenever their access or your relationship changes materially. Lower-risk vendors can be reviewed on a longer cycle.

Is this calculator free?

Yes, it is free with no signup. If you need a full third-party risk program or vendor assessment, our team can help.

Build a vendor risk program that holds up.

Auditors and enterprise customers will ask how you vet your vendors. We help you stand up third-party risk management as part of your SOC 2 and security program.

See security & compliance Book a call