8 Documents

Third-Party & Vendor Management

Comprehensive vendor risk management documentation for assessing, monitoring, and managing third-party security and compliance risks.

SOC 2 ISO 27001 GDPR HIPAA

Vendor Assessment

Vendor Risk Management Policy

Required

Comprehensive policy defining vendor risk assessment, classification, due diligence requirements, and ongoing monitoring procedures based on risk tier.

SOC 2 CC9.2 ISO 27001 A.15 NIST ID.SC
All organizations using vendors $247

Vendor Security Questionnaire

Critical

Comprehensive security assessment questionnaire based on SIG Lite covering security controls, compliance certifications, incident history, and data handling.

SOC 2 CC9.2 ISO 27001 A.15.1
Per vendor assessment $197

Vendor Risk Assessment Template

Per Vendor

Standardized risk assessment template for evaluating vendor inherent risk, control effectiveness, and residual risk with scoring methodology.

SOC 2 CC3.2 NIST RA-3
All critical vendors $147

Vendor Inventory & Classification

Quarterly Update

Template for maintaining vendor inventory with risk classification (Critical, High, Medium, Low) and data access categorization.

SOC 2 CC9.2 ISO 27001 A.15.1.1
All organizations $97

Contracts & Agreements

Vendor Security Requirements Addendum

Contract Required

Security addendum for vendor contracts specifying security controls, audit rights, incident notification, data handling, and termination requirements.

SOC 2 CC9.2 ISO 27001 A.15.1.2
All vendor contracts $247

Non-Disclosure Agreement (NDA)

Required

Mutual and one-way NDA templates for protecting confidential information shared with vendors, including definition of confidential information and obligations.

SOC 2 C1.1 ISO 27001 A.13.2.4
All vendor relationships $147

Business Associate Agreement (BAA)

HIPAA Required

HIPAA-compliant BAA for vendors handling Protected Health Information (PHI), including permitted uses, safeguard requirements, and breach notification.

HIPAA ยง164.504
Healthcare vendors with PHI access $297

Ongoing Management

Vendor Review & Monitoring Procedures

Annual for Critical

Procedures for ongoing vendor monitoring including SOC report review, compliance certificate tracking, performance metrics, and reassessment triggers.

SOC 2 CC9.2 ISO 27001 A.15.2
All organizations with vendors $147

Vendor Risk Tiers

Risk Tier Criteria Assessment Review Frequency
Critical Access to sensitive data, critical systems, or customer-facing Full questionnaire + SOC 2/ISO review + onsite (optional) Annual
High Limited sensitive data or internal system access Full questionnaire + compliance review Annual
Medium No sensitive data, limited system access Abbreviated questionnaire Every 2 years
Low No data access, commoditized services Self-attestation Every 3 years
Vendor Management Bundle

All 8 vendor management documents with implementation guides.

$897 $1,526
Save 41% vs. individual purchase
Get Bundle

Review SOC Reports

For critical vendors, always obtain and review their SOC 2 Type II report. Document any CUECs (Complementary User Entity Controls) that apply to you.

Related Categories

Privacy & Data Protection Risk Assessment SOC 2 Framework

Key Requirements

  • Assess before onboarding
  • Include security in contracts
  • Monitor ongoing compliance
  • Document all assessments

Important Notice

These templates provide a starting point for vendor management programs. Adjust risk criteria and assessment depth based on your industry, data sensitivity, and regulatory requirements.

Need Help with Vendor Risk Management?

Our team can help you build a vendor management program, conduct assessments, and ensure your third-party risk is properly managed.

Schedule Consultation Browse All Documents