Vendor risk assessment: a step-by-step process

Procurement · 7-min read · Assess a vendor → · updated June 2026

A good vendor risk assessment isn’t a 300-question spreadsheet — it’s a tight, evidence-backed process: ask the right questions, verify the software independently, and write down the decision. Five steps.

The process

Scope the assessment

Define what you’re buying, what data it touches, and which product/version you’d run. Scope sets how thorough the review needs to be.

Send the questionnaire

Cover security, compliance and operations. Use a focused set (you don’t need 300 questions) and ask for evidence — certificates, a SOC 2 report, a pen-test summary.

Independently verify the software

This is the step most processes skip. Check the actual product for known vulnerabilities, active exploitation (CISA KEV) and end-of-life status — facts the vendor’s answers can’t establish.

Score and document residual risk

Combine the self-reported answers and the verified findings — kept separate, not blended — into a clear picture: what’s solid, what’s a gap, what’s the residual risk.

Decide and record sign-off

Approve, approve-with-conditions, or reject — and record who decided, when, and on what evidence. Keep it for the procurement file and re-assessment.

Keep the two origins separate. Self-reported answers and independently-verified findings should never be blended into one score — that launders unverified claims. Record them side by side. IsItPatched does this for you.

Use the tools

Create a free vendor assessment — questionnaire + verified data, exportable.
Free questionnaire template — the questions to send.
How to read a SOC 2 report · SOC 2 vs ISO 27001.

Turn this into action. How to run a vendor security assessment end to end — scope, questionnaire, independent verification, scoring and sign-off — before you buy.

Assess a vendor — free →

Frequently asked questions

What is a vendor risk assessment?

A vendor (or supplier) risk assessment evaluates the security, compliance and operational risk of a product or service before you buy it. It typically combines a self-reported questionnaire with independent verification, then a documented decision.

What are the steps in a vendor risk assessment?

Scope the assessment; send a security/compliance/operations questionnaire and request evidence; independently verify the software (known vulnerabilities, active exploitation, end-of-life); score and document residual risk; then decide and record sign-off.

How long should it take?

For a low-tier vendor, an hour. For a critical vendor, days to weeks depending on how fast they return evidence (SOC 2 report, pen-test summary). The independent software checks are instant if the product is tracked.

Can I do this for free?

Yes. IsItPatched gives you a free vendor assessment that pairs the questionnaire with independently-verified vulnerability data and lets you export the combined picture — no login to start.

This guide is vendor-neutral and informational, grounded in publicly-available guidance from bodies such as OWASP, NIST and CISA. IsItPatched is independent and not affiliated with them, and this is not legal or compliance advice. See our disclaimer.

← Browse all guides · Security glossary →