Vendor Security Assessment Scorecard
Domain Scores (1-5)
Business Context
Domain Scores
Domain Breakdown
Business Impact Assessment
Contractual Recommendations
| Risk Area↕ | Recommended Contract Clause | Priority↕ |
|---|---|---|
| Access Control | Require vendor to provide annual access review reports and implement MFA for all administrative access. | MEDIUM |
| Encryption | Require encryption standards documentation and annual cryptographic review. Ensure key management follows NIST SP 800-57. | MEDIUM |
| Incident Response | Require vendor to notify within 48 hours of security incidents and provide post-incident reports. | MEDIUM |
| Compliance | Require vendor to maintain industry-relevant compliance certifications and provide annual audit reports. | MEDIUM |
| Data Handling | Require vendor to maintain data handling procedures and provide data flow diagrams for shared data. | MEDIUM |
| Network Security | Require vendor to conduct regular vulnerability scans and patch critical vulnerabilities within 30 days. | MEDIUM |
Minimum Requirements Checklist
Recommendations
Third-party vendors are now one of the most common breach vectors, so a consistent, defensible way to score their security is essential to any TPRM program. This scorecard rates a vendor across six weighted domains, applies bonus and penalty adjustments for certifications and testing, and produces an overall 0-100 score, a risk tier, and contract clauses to demand where the vendor falls short.
Formula
Overall = (Σ(score × weight) / (ΣweightX5)) × 100 + adjustments
- score
- Each domain rated 1-5 across the six security domains
- weight
- Domain importance (access control 20, encryption 18, compliance 17, the rest 15)
- adjustments
- Bonuses and penalties: SOC 2 +5, data residency +3, annual pentest +4 / none −5, SLA ≥99.9% +3 / <99% −3
- Overall
- Final 0-100 score clamped to that range, mapped to a risk tier
How it works
- Rate the vendor 1-5 on six domains — access control (weight 20), encryption (18), compliance (17), incident response (15), data handling (15), and network security (15) — and provide SLA availability, SOC 2 status, data-residency compliance, and penetration-testing cadence.
- Domain scores are weighted and normalized to a 0-100 base, then adjusted: +5 for SOC 2 certification, +3 for data residency, +4 for annual penetration testing (or −5 for none), and ±3 for SLA availability above 99.9% or below 99%.
- The final score maps to a risk tier (low 80+, medium 60-79, high 40-59, critical under 40), flags any domain below its minimum threshold, and generates severity-ranked recommendations and contractual clauses.
Worked example
A vendor scores 4 on access control, 4 encryption, 3 incident response, 4 compliance, 3 data handling, and 3 network security, is SOC 2 certified, data-residency compliant, runs annual pentests, and offers 99.95% SLA.
- Weighted sum: (4×20)+(4×18)+(3×15)+(4×17)+(3×15)+(3×15) = 355 against a maximum of 100×5 = 500.
- Base score: (355 / 500) × 100 = 71.0.
- Adjustments: +5 (SOC 2) +3 (residency) +4 (pentest) +3 (SLA ≥99.9%) = +15, giving 71 + 15 = 86.
An overall vendor score of 86, placing the vendor in the Low risk tier, with all six domains meeting their minimum thresholds.
Frequently asked questions
- What does the risk tier tell me?
- The tier translates the numeric score into a decision signal: low risk (80+) vendors are generally acceptable, medium (60-79) warrant added contractual controls, high (40-59) need a remediation plan, and critical (under 40) should prompt reconsideration or strict compensating controls.
- Why is access control weighted most heavily?
- Weak access control is the root cause of a large share of third-party breaches, so it carries the highest weight (20), followed by encryption (18) and compliance (17). The weighting ensures a vendor cannot earn a strong score while neglecting the most consequential domain.
- How do certifications and pentesting change the score?
- They apply additive adjustments to the weighted base: SOC 2 certification adds 5 points, verified data residency adds 3, and annual penetration testing adds 4 (while never testing subtracts 5). High SLA availability adds 3 and low availability subtracts 3.
- What are the contractual recommendations for?
- When a domain scores at or below its threshold, the tool suggests specific clauses to negotiate into the contract — for example, mandating RBAC with quarterly access reviews for weak access control — so risk is addressed legally as well as technically.