Get a Real Handle on Third-Party Risk
You've locked down your own systems. But what about the 50 vendors who touch your data, your infrastructure, or your operations every day? We help you find out where the real exposure is — and do something about it.
Why This Keeps CISOs Up at Night
You can't control your vendors' security, but you're still on the hook when things go wrong. Regulators, insurers, and your biggest clients all know it — and they're starting to ask hard questions.
NIS2 Says You Have To
Article 21(2)(d) doesn't mince words: if you're an essential or important entity, you need to manage supply-chain security. Not "should." Need to.
DORA Gets Even More Specific
In financial services, you now need a register of every ICT vendor, proper due diligence before you sign, and contractual clauses that actually have teeth.
ISO 27001 Has Five Controls for This
Annex A controls 5.19 through 5.23 are dedicated to supplier relationships. In our experience, they're also the most commonly undercooked part of any ISMS.
Vendors Are the #1 Way In
More than 60% of breaches involve a third party somewhere in the chain. When your vendor gets hit, their problem becomes your incident — and your liability.
Your Clients Are Asking
Enterprise procurement teams want to see how you manage your own vendors before they'll trust you with their data. No programme? No deal.
Your Insurer Is Asking Too
Cyber insurers are tightening up. A documented vendor risk programme isn't just good practice anymore — it's increasingly a condition for getting covered at a reasonable price.
How It Works, Step by Step
No mystery, no black box. Here's the path from "we don't really know what our vendors are doing" to "we've got this covered" — and it's more straightforward than you'd think.
Inventory
Who are your vendors, and which ones actually matter?
Assess
How secure are they, really? Let's find out.
Treat
Fix what needs fixing, accept what you can live with.
Contract
Put proper security teeth into your agreements.
Monitor
Keep watching — because things change.
Pick What You Need — Leave the Rest
We've broken the work into six modules. You can start with one, combine a few, or go all-in. Each one stands on its own and gives you something concrete to show for it.
Vendor Inventory & Tiering
First things first: who are all your vendors, and which ones could actually hurt you? We'll build a complete register, map the data flows, and sort everyone into risk tiers so you know where to focus.
Due Diligence & Assessment
Now we dig in. Tailored questionnaires (not the same 200 questions for everyone), actual evidence review, and a scoring system that maps to ISO 27001, NIS2, and DORA — so the results mean something to auditors too.
Risk Treatment & Remediation
You've found the gaps — now what? We'll work out what needs fixing, what you can compensate for, and what's genuinely acceptable to live with. Every vendor gets a clear treatment plan with owners and timelines.
Contractual Security Framework
Most vendor contracts were signed without a single security clause. We'll fix that — adding security schedules, data-processing terms, audit rights, incident notification rules, and exit provisions that protect you if things go south.
TPRA Framework & Governance
This is the glue that holds everything together: the policy, the procedures, who's responsible for what, when things escalate, and how the board stays informed. Without it, even great assessments eventually gather dust.
Continuous Monitoring Setup
A one-time assessment is a snapshot. We'll set you up with reassessment cycles, monitoring triggers, KRI dashboards, and integration with your existing ISMS or GRC tools — so vendor risk stays on the radar permanently.
Not Every Vendor Deserves 200 Questions
Your critical cloud provider and the company that delivers office plants don't carry the same risk. We tier your vendors so you spend time where the exposure actually is.
| Tier | Criteria | Assessment Depth | Reassessment Cycle |
|---|---|---|---|
| Critical | They touch your sensitive data, plug into your systems, or your business stops if they go down | Deep dive — full assessment + on-site or virtual audit | Every year + whenever something changes |
| High | They handle personal data, run key operations, or host your cloud infrastructure | Detailed questionnaire + we check their evidence | Every year |
| Medium | Limited data access, moderate business impact — your typical SaaS tools | Standard questionnaire + quick certification check | Every 2 years |
| Low | No data access, easily swapped out, minimal system integration | Lightweight screening — keep it simple | Every 3 years |
Three Ways In — Pick What Fits
Whether you need a quick reality check or a full vendor risk programme, we've got a starting point that matches where you are right now. All prices are approximate and subject to change based on your organization's individual circumstances.
Rapid Check
- Map your full vendor landscape
- Classify up to 10 vendors by risk tier
- See where your real exposure is
- Understand how your data flows to third parties
- Walk away with a prioritised action plan
Assessment Batch
- Everything in Rapid Check
- Proper due diligence on 5–20 vendors
- Clear treatment plans for what we find
- Scorecards your board can actually read
- A risk register that's ready for auditors
Full Programme
- All 6 modules, end to end
- A framework your team can run after we leave
- Every vendor in your portfolio assessed
- Contracts reviewed and tightened
- Monitoring set up so nothing slips through
- NIS2 and DORA alignment baked in
Ongoing Retainer
- Quarterly vendor check-ups
- Help onboarding new vendors properly
- Keep your risk register alive and current
- Heads-up when regulations change
- Annual programme health check
Why People Work With Us
We've done this enough times to know what works and what doesn't. Here's what makes the difference.
We Focus Where It Matters
No blanket approach. Your office plant supplier doesn't get the same treatment as your cloud host. We tier vendors by real risk, so your team's energy goes where the exposure is.
One Programme, Three Frameworks
We design every assessment to satisfy ISO 27001, NIS2, and DORA at the same time. Do the work once, tick multiple boxes.
Senior People, Fair Prices
You work directly with experienced consultants who've built these programmes before — at 30–50% less than what the large firms charge. No layers of junior staff in between.
We Build It So You Can Run It
We're not trying to create a dependency. Everything we deliver — frameworks, templates, processes — is designed so your team owns it and can keep it going without us.
Curious Where You Stand? Let's Find Out.
Grab 30 minutes with us. We'll talk through your vendor landscape, the regulations that apply to you, and the smartest place to start. No pitch deck, no pressure — just a straight conversation.
Let's Talk — It's Free