IT Vendor Risk Assessment Form
Evaluate third-party IT vendors across key risk domains to ensure compliance and security.
Vendor Name
*
Vendor Contact Person
*
Service(s) Provided by Vendor
*
What type of data will the vendor access?
*
No data access
Public data only
Internal business data
Confidential/regulated data (e.g., PII, PHI)
What level of system access will the vendor have?
*
No system access
User-level access (no admin rights)
Admin-level access
Remote access (VPN/RDP)
Security Controls Assessment
*
Rows
Not Present
Partially Implemented
Fully Implemented
Not Applicable
Access Controls
1
2
3
4
Encryption
5
6
7
8
Network Security
9
10
11
12
Incident Response
13
14
15
16
Employee Training
17
18
19
20
Has the vendor experienced any security incidents in the past 3 years?
*
No incidents reported
Yes, minor incidents (no data loss)
Yes, major incidents (data breach or loss)
Compliance Certifications Held by Vendor
*
ISO 27001
SOC 2
GDPR
HIPAA
None
Other
Does the vendor use subcontractors for any part of the service?
*
No subcontractors used
Yes, with prior approval
Yes, without prior approval
Does the vendor have a documented business continuity and disaster recovery plan?
*
Yes, regularly tested
Yes, but not regularly tested
No documented plan
Overall Risk Rating for This Vendor
*
1
2
3
4
5
Summary of Assessment and Recommendation
Submit Assessment
Should be Empty: