Vendor risk management / third party risk management is now a bedrock of most company’s information security program. As companies mature their program, a common issue comes up in vendor risk. There may be a huge backlog of vendors that were never assessed on intake. For many companies, this could range anywhere from 30-200 vendors that need to be assessed retroactively. This can be a large burden on even the most well resourced teams. Here are a few ways that teams can handle a large backlog of vendor assessments.

1. Separate the vendors into High, Medium and Low Risk
2. Create a set of controls for each level of risk
3. Create a set of standard documentation to ask from the vendor for each level of risk
4. Reach out to vendors through their Customer Success Rep or through the email on their Security page
5. Look for the the set of controls in the documentation based on the risk level of the vendor
6. Follow-up with individual vendors based on control questions and/or gaps

This type of work can be done in a Word or Excel document – it doesn’t need to be fancy. If its something that your team would like outside help with, this is a service that Teepee can help with as well.