Knowledge BaseOperating ModelTemplatesServicesAboutWork With Me
← All Templates
Third-Party Risk

Vendor Risk Assessment

Score vendors on exposure (data sensitivity × criticality) and security posture (six weighted domains), tier them, drive reassessment cadence — with BAA/DPA tracking for HIPAA programs.

$299one-time · instant download · free updates
Get the Workbook See the Bundle ($1,797)
What you get
  • 6-tab Excel workbook
  • Exposure × posture → risk score & tier
  • Reassessment cadence & overdue flags
  • BAA / DPA tracking for HIPAA programs
  • Auto vendor scorecard dashboard
  • Mapped to SOC 2, ISO 27001, HIPAA
How it works

Evidence in. Ratings out. Automatically.

A vendor's risk is the exposure they represent and how well they control it. This assessment scores both, combines them on the same 1–25 scale as the risk register, and lets the tier drive how often you reassess — so the riskiest vendors get looked at most often.

INPUTExposuredata × criticalityINPUTPosture6 domainsRisk ScoreExp × (6 − Posture)Risk TierbandReassesscadence by tier

Every number is a formula over your inputs — not a workshop opinion. Change an input and the ratings move. That's what makes the output defensible.

What's inside

Six tabs from intake to scorecard.

Vendor Assessment

One row per vendor: exposure, six weighted posture domains, risk score and tier, BAA/DPA, reassessment-due and overdue flags — all calculated.

Scoring Reference

Exposure factors, posture-domain weights, and tier bands your team calibrates to.

Vendor Scorecard

Auto tier distribution, vendors by data sensitivity, top-risk vendors, and missing-BAA count.

Compliance Mapping

How the program supports SOC 2, ISO 27001, and HIPAA.

Glossary

Every column heading defined, with a Source column.

Start Here

A five-step walkthrough and worked examples.

Built to be evidence

Numbers you can put in front of an auditor

Deterministic, not guessed

Every rating is a transparent formula over your inputs, so it holds up when someone asks "why is this rated this way?"

Traceable to evidence

Ratings trace back to the inputs that produced them — the audit story is built in, not reconstructed after the fact.

Maps to your frameworks

A built-in Compliance Mapping tab cross-walks the program to SOC 2, ISO 27001, HIPAA, and DORA third-party requirements.

Related: Integrating Risk Assessments and The Connected GRC Model.

FAQ

Before you buy

What format is it?

A single Microsoft Excel workbook (.xlsx). It recalculates on open — no macros, no add-ins, no subscription. Also opens in Google Sheets and LibreOffice.

Is it hard to use?

No. You fill the shaded input cells; the white cells calculate. Dropdowns prevent bad entries, the Start Here tab walks you through it, and it ships with worked examples you delete before use.

Can I use it with clients?

Yes — internally or in client engagements. You can't resell the template itself as a template.

Need it tailored?

If you need it adapted to a specific framework, org size, or regulator, get in touch — customization and advisory are available.

Tier your vendors by exposure and posture

A defensible vendor risk score, the right reassessment cadence, and BAA/DPA tracking built in.

Get the Workbook — $299 Or get all 7 in the Bundle ($1,797)