Every framework — SOC 2, ISO 27001, HIPAA, PCI DSS — expects you to manage the risk your vendors introduce. For a small company that usually starts (and ends) as a neglected spreadsheet. Here’s a lightweight approach that satisfies auditors and actually gets maintained.
Why third-party risk is in scope
Your security is only as strong as the vendors who touch your data. If your email provider, cloud host, or analytics tool is breached, your customers’ data can be exposed through them. That’s why frameworks require due diligence before you onboard a vendor and ongoing review after.
Step 1: Inventory your vendors
List every third party that stores, processes, or can access customer data or production systems. Don’t boil the ocean — focus on the ones that matter. For each, capture what data they access and how critical they are to your operation.
Step 2: Tier by criticality
Not every vendor deserves the same scrutiny. Tier them:
- Critical — direct access to customer data or production (cloud host, database provider). Review most often.
- High / Medium — meaningful but bounded access.
- Low — minimal or no sensitive data.
Tiering lets you spend your limited time where the risk actually is.
Step 3: Set a review cadence
Assign a review frequency by tier — for example critical vendors every quarter, lower tiers annually. The point is that reviews happen on a schedule and overdue ones get surfaced, rather than being remembered only during an audit.
At review time, confirm the vendor still warrants its access, check that their own security posture (e.g. their SOC 2) is current, and record the outcome.
Step 4: Keep the evidence
Auditors want to see the inventory, the tiers, and records of reviews for critical vendors. Capture each review with a date and outcome so the evidence exists without a scramble.
What good looks like
- A single source of truth for vendors, not five spreadsheets.
- Clear criticality tiers.
- A cadence that flags overdue reviews automatically.
- A trail of completed reviews as evidence.
How Keel helps
Keel’s vendor module lets you track third parties by criticality with built-in review cadences (critical every 90 days, high 180, and so on), flags anything overdue or never reviewed, and keeps the review history as evidence. It sits on the same graph as your controls and evidence, so vendor risk is part of your program instead of a side spreadsheet.
Start free and get your third-party risk under control.