Our Method

Often times, organisations look at cyber security only from within their networks, but their partner, supplier, and vendors can create just as much risk. Below we will describe all the steps we take in order to provide a fully managed vendor risk management service.

Step 1 – On-Boarding Meeting

In the first meeting we will learn about the organisation and discuss the vendor management project. Here we will decide on dates and deadlines for the project.

Step 2 – Vendor landscape

In this phase we will set up a clear picture of the vendor landscape from the customer. We will create a list of all vendors the customer wants to monitor. This list will contain information such as:

– General company information.
– Contact information. (Person responsible)
– Types of data the vendor has of your company.
– Business impact on customer.
– Do they have direct access to any part of your organisation?
– If the correct contracts are in place. (Check)
– GDPR related contracts in place (GDPR processor contract). (Check)
– Any other special requirements.

From this list we will can sort the companies within the following categories:

(If the customer already has set up a vendor list before, we will use this as a base.)

Step 3 – SLA & Compliance

After the vendor landscape is correctly processed and categorised we will set up an SLA framework for the customers vendors. This will be tailor made for the customer, it depends on several factors such as compliance standards and internal policies.

From this list we will can sort the companies within the following categories:

In this phase we will also determine the way we communicate with their vendors. The process of vendor management will be laid out and we will agree on the escalation paths and the SLA’s to the customer from our side.

Step 4- Managed Questionnaires

We will also look at any information that is needed for internal policies and compliance standards, such as ISO 27001. We will be able to automate and manage any questionnaires that are needed for these requirements. After we have received the information we could verify this with any evidence provided and/or found during our scans.

Step 5- Agreements & Approach

This is the final stage before the service starts. In this stage we will review all agreements and SLA’s. After this stage we will send out an introduction to the vendor together. From this point the vendor will be officially introduced to us.When all is set we will start the service and all vendors are being scanned.

Step 6- Service Start

From this point on, we will start scanning the vendors and communicate with the vendors. If they drop below a certain score (SLA) we will engage and advise the vendor so that they can solve their issues.If vendors have a critic al issue, we will inform the customer. Depending on their category, we might advise to temporarily stop all services with the vendor.

Every month the customer will receive a full overview and detailed reports on all their vendors. Including any escalations and cases.


Should a new vendor be in a selection procedure, we will be able to provide a benchmark on the possible new vendors, so the customer can make an informed decision.

Step 7- Check-up

On a yearly basis we will schedule an update and health check session. In this yearly meeting we will go through the vendor list and SLA document to see if everything is still correct.We will also analyse the past year of service and go through the vendors progress and potential future risks. (Ex. steadily declining vendors.)

With our service we mostly focus on 3rd party risk however in some cases its also needed to asses 4th party risk. For example an enterprise critical vendor who has enlisted a subcontractor.

Our service is fully customised to the customers needs and requirements. So please do not hesitate to discuss any other requirements we did not mention here.