Vendor Security Assessment Scorecard

Domain Scores (1-5)

3/5
3/5
3/5
3/5
3/5
3/5
%
Data Residency Compliant
SOC 2 Certified
Penetration Testing

Business Context

Data Sensitivity
Integration Depth
Business Criticality
$
Unnamed Vendor — Overall Score75/100
Risk Tiermedium
Minimum ThresholdsPASS

Domain Scores

Access ControlEncryptionIncident ResponseComplianceData HandlingNetwork Security0245

Domain Breakdown

Access Control3/5
Encryption3/5
Incident Response3/5
Compliance3/5
Data Handling3/5
Network Security3/5

Business Impact Assessment

Estimated Financial Impact$30,625.00
Overall Risk LevelLow Risk
Operational Impact: Moderate — some business processes affected
Data Exposure Risk: High — sensitive/regulated data shared with vendor
Recovery Difficulty: Manageable — limited integration allows faster vendor replacement

Contractual Recommendations

Risk AreaRecommended Contract ClausePriority
Access ControlRequire vendor to provide annual access review reports and implement MFA for all administrative access.MEDIUM
EncryptionRequire encryption standards documentation and annual cryptographic review. Ensure key management follows NIST SP 800-57.MEDIUM
Incident ResponseRequire vendor to notify within 48 hours of security incidents and provide post-incident reports.MEDIUM
ComplianceRequire vendor to maintain industry-relevant compliance certifications and provide annual audit reports.MEDIUM
Data HandlingRequire vendor to maintain data handling procedures and provide data flow diagrams for shared data.MEDIUM
Network SecurityRequire vendor to conduct regular vulnerability scans and patch critical vulnerabilities within 30 days.MEDIUM

Minimum Requirements Checklist

Access Control
3/5 (min: 3)
Encryption
3/5 (min: 3)
Incident Response
3/5 (min: 3)
Compliance
3/5 (min: 3)
Data Handling
3/5 (min: 3)
Network Security
3/5 (min: 3)

Recommendations

medium
Access Control
Access Control score (3/5) is average. Consider requesting improvement roadmap.
medium
Encryption
Encryption score (3/5) is average. Consider requesting improvement roadmap.
medium
Incident Response
Incident Response score (3/5) is average. Consider requesting improvement roadmap.
medium
Compliance
Compliance score (3/5) is average. Consider requesting improvement roadmap.
medium
Data Handling
Data Handling score (3/5) is average. Consider requesting improvement roadmap.
medium
Network Security
Network Security score (3/5) is average. Consider requesting improvement roadmap.

Third-party vendors are now one of the most common breach vectors, so a consistent, defensible way to score their security is essential to any TPRM program. This scorecard rates a vendor across six weighted domains, applies bonus and penalty adjustments for certifications and testing, and produces an overall 0-100 score, a risk tier, and contract clauses to demand where the vendor falls short.

Formula

Overall = (Σ(score × weight) / (ΣweightX5)) × 100 + adjustments

score
Each domain rated 1-5 across the six security domains
weight
Domain importance (access control 20, encryption 18, compliance 17, the rest 15)
adjustments
Bonuses and penalties: SOC 2 +5, data residency +3, annual pentest +4 / none −5, SLA ≥99.9% +3 / <99% −3
Overall
Final 0-100 score clamped to that range, mapped to a risk tier

How it works

  1. Rate the vendor 1-5 on six domains — access control (weight 20), encryption (18), compliance (17), incident response (15), data handling (15), and network security (15) — and provide SLA availability, SOC 2 status, data-residency compliance, and penetration-testing cadence.
  2. Domain scores are weighted and normalized to a 0-100 base, then adjusted: +5 for SOC 2 certification, +3 for data residency, +4 for annual penetration testing (or −5 for none), and ±3 for SLA availability above 99.9% or below 99%.
  3. The final score maps to a risk tier (low 80+, medium 60-79, high 40-59, critical under 40), flags any domain below its minimum threshold, and generates severity-ranked recommendations and contractual clauses.

Worked example

A vendor scores 4 on access control, 4 encryption, 3 incident response, 4 compliance, 3 data handling, and 3 network security, is SOC 2 certified, data-residency compliant, runs annual pentests, and offers 99.95% SLA.

  1. Weighted sum: (4×20)+(4×18)+(3×15)+(4×17)+(3×15)+(3×15) = 355 against a maximum of 100×5 = 500.
  2. Base score: (355 / 500) × 100 = 71.0.
  3. Adjustments: +5 (SOC 2) +3 (residency) +4 (pentest) +3 (SLA ≥99.9%) = +15, giving 71 + 15 = 86.

An overall vendor score of 86, placing the vendor in the Low risk tier, with all six domains meeting their minimum thresholds.

Frequently asked questions

What does the risk tier tell me?
The tier translates the numeric score into a decision signal: low risk (80+) vendors are generally acceptable, medium (60-79) warrant added contractual controls, high (40-59) need a remediation plan, and critical (under 40) should prompt reconsideration or strict compensating controls.
Why is access control weighted most heavily?
Weak access control is the root cause of a large share of third-party breaches, so it carries the highest weight (20), followed by encryption (18) and compliance (17). The weighting ensures a vendor cannot earn a strong score while neglecting the most consequential domain.
How do certifications and pentesting change the score?
They apply additive adjustments to the weighted base: SOC 2 certification adds 5 points, verified data residency adds 3, and annual penetration testing adds 4 (while never testing subtracts 5). High SLA availability adds 3 and low availability subtracts 3.
What are the contractual recommendations for?
When a domain scores at or below its threshold, the tool suggests specific clauses to negotiate into the contract — for example, mandating RBAC with quarterly access reviews for weak access control — so risk is addressed legally as well as technically.