How many suppliers should we assess?

Focus on critical and high-risk suppliers first - typically 10-20 for most SMEs. These are suppliers with access to sensitive data or critical systems. For low-risk suppliers (office supplies, basic services), a lightweight approach or no assessment is appropriate.

What if a supplier refuses to complete our questionnaire?

This is a red flag. Ask if they have certifications or audit reports they can share instead. If they refuse any assessment, consider whether you can limit their access or find an alternative supplier. For critical suppliers, security assessment should be a requirement.

How often should we reassess suppliers?

Critical suppliers: annually. High-risk suppliers: every 1-2 years. Standard suppliers: at contract renewal or every 3 years. Also reassess when the supplier has a security incident, changes ownership, or when you change the scope of data/access they have.

Do we need a formal supplier security policy?

For NIS2 compliance, yes. You need documented requirements for supply chain security. Even without compliance requirements, a simple policy helps ensure consistency. It can be a single page outlining your assessment criteria and contract requirements.

What about small suppliers without certifications?

Many SME suppliers won't have formal certifications. Use questionnaires to understand their actual practices. Focus on key controls: do they use MFA? Do they encrypt data? Do they have backups? A small supplier with good practices may be lower risk than a large one with poor security culture.

How to Assess Supplier Security

Why Supplier Security Matters

Supply chain attacks are increasingly common because:

Easier entry point

Attackers target less-secured suppliers to reach their real target

Trusted access

Suppliers often have privileged access to your systems and data

Shared responsibility

You're still liable for breaches caused by your suppliers under GDPR

NIS2 requirement

Supply chain security is explicitly required for compliance

Insurance requirements

Cyber insurers increasingly ask about third-party risk management

Business continuity

A supplier breach can disrupt your operations even without direct attack

Recent Supply Chain Breaches

These real-world incidents show why supply chain security matters:

Ledger Crypto Wallet (2024)

What happened: Attackers compromised a former employee's npm account to inject malicious code into Ledger's JavaScript library used by cryptocurrency apps.

Impact: Affected dApps using the library could drain user wallets. Estimated $600K stolen before detection.

Lesson: Monitor third-party code dependencies. Former employee accounts should be immediately revoked.

Clop Ransomware - Oracle Zero-Day (2025)

What happened: Clop exploited a zero-day vulnerability in Oracle software to attack organizations through their managed file transfer systems.

Impact: Hundreds of organizations affected. Attackers exfiltrated data without deploying ransomware.

Lesson: Patch critical vendor software immediately. Monitor vendors' security bulletins. Have incident response plans for supplier breaches.

ESA Data Breach (2025)

What happened: European Space Agency suffered a breach through a third-party contractor, exposing sensitive program data.

Impact: Confidential space program data potentially exposed. Investigation ongoing across multiple countries.

Lesson: Apply same security standards to contractors as internal systems. Segment contractor access.

Under Armour / MyFitnessPal (2024)

What happened: Breach exposed 72 million customer records through compromised third-party data processing.

Impact: Massive customer data exposure including emails, usernames, and hashed passwords.

Lesson: Audit data processors thoroughly. Minimize data shared with third parties.

The 5-Step Supplier Security Process

Follow this practical process to assess and manage supplier security:

Step 1: Inventory Your Suppliers

Before you can assess risk, you need to know who your suppliers are and what access they have:

List all vendors, contractors, and service providers
Document what data each supplier can access
Identify which suppliers have system access (remote, VPN, admin)
Note any subcontractors your suppliers use (fourth-party risk)
Record the business function each supplier supports
Include cloud services, SaaS tools, and IT providers

Tip: Start with suppliers who have access to sensitive data or critical systems. You can expand later.

Step 2: Categorize by Risk Level

Not all suppliers need the same level of scrutiny. Categorize based on access and impact:

Critical: Access to sensitive data or critical systems (e.g., cloud provider, payroll, ERP)
High: Process personal data or have network access (e.g., HR software, IT support)
Standard: Limited access, no sensitive data (e.g., office supplies, cleaning)
Consider data sensitivity: customer data, financial info, IP
Consider access level: admin rights, remote access, physical access
Consider business impact: what happens if they're compromised?

Tip: Focus 80% of your effort on the top 20% of suppliers by risk. Don't waste time on low-risk vendors.

Step 3: Send Security Questionnaires

For Critical and High-risk suppliers, gather security information:

Do they have security certifications? (ISO 27001, SOC 2, CyberFundamentals)
Do they have a security policy and incident response plan?
How do they protect data at rest and in transit?
What access controls do they use? (MFA, least privilege)
Do they conduct employee security training?
When was their last security assessment or penetration test?
Do they have cyber insurance?

Tip: For certified suppliers, you can often rely on their certification instead of detailed questionnaires.

Step 4: Set Contract Requirements

Formalize security expectations in your contracts:

Data Processing Agreement (DPA) for any supplier handling personal data
Breach notification clause: notify within 24-48 hours
Right to audit: ability to assess their security upon request
Security standards: minimum requirements they must maintain
Subcontractor approval: require notification of any subcontractors
Liability and indemnification for security incidents
Termination rights: ability to exit if security standards aren't met

Tip: Start with new contracts. Renegotiating existing contracts can be done at renewal.

Step 5: Implement Ongoing Monitoring

Supplier security isn't one-and-done. Establish ongoing oversight:

Annual review for critical suppliers, every 2-3 years for standard
Monitor for security news about your suppliers
Track certification renewals and expiration dates
Include suppliers in your incident response plan
Establish a communication channel for security issues
Review access regularly - revoke when no longer needed
Update risk categorization as relationships change

Tip: Set calendar reminders for supplier reviews. It's easy to forget when things are running smoothly.

Sample Security Questionnaire

Use these key questions to assess supplier security posture:

Governance & Compliance

Do you have a dedicated information security role or team?
What security certifications do you hold? (ISO 27001, SOC 2, CyberFundamentals)
Do you have a documented information security policy?
When was your last external security audit?

Technical Controls

Do you require multi-factor authentication for all users?
How do you encrypt data at rest and in transit?
Do you have endpoint protection (EDR/antivirus) on all devices?
How do you manage and patch vulnerabilities?

Access & Data

How do you implement least privilege access?
What is your employee offboarding process for access removal?
Where is our data stored and processed (geographic location)?
Do you use subcontractors who will access our data?

Incident Response

Do you have a documented incident response plan?
What is your breach notification timeframe?
Have you experienced any security incidents in the past 3 years?
Do you have cyber insurance?

Key Certifications to Look For

These certifications provide assurance about a supplier's security maturity:

ISO 27001

International standard for information security management systems (ISMS)

Best for: Any supplier handling sensitive data or with significant access

SOC 2

Service Organization Controls focused on security, availability, processing integrity, confidentiality, and privacy

Best for: Cloud services, SaaS providers, data centers

CyberFundamentals

Belgian CCB framework with Basic, Important, and Essential levels

Best for: Belgian suppliers, especially SMEs

ISAE 3402

Assurance on service organization controls (often combined with SOC 2)

Best for: Financial services providers, audited environments

Essential Contract Security Clauses

Include these security provisions in supplier contracts:

Data Processing Agreement (DPA)

Required under GDPR for any supplier processing personal data. Defines roles, purposes, and security measures.

Article 28 GDPR compliant DPA with specified technical and organizational measures

Breach Notification

Supplier must notify you promptly of any security incident affecting your data.

"Supplier shall notify Client within 24 hours of discovering any security incident..."

Security Standards

Minimum security controls the supplier must maintain.

"Supplier shall maintain ISO 27001 certification or equivalent security controls..."

Audit Rights

Your right to assess supplier security, directly or through a third party.

"Client may audit Supplier's security controls annually with 30 days notice..."

Subcontractor Approval

Control over who else handles your data.

"Supplier shall not engage subcontractors without prior written consent of Client..."

Termination for Breach

Right to exit if security standards aren't met.

"Client may terminate immediately upon material security breach..."

Supplier Risk Assessment Matrix

Use this matrix to determine the assessment depth needed for each supplier:

Access Level / Data Sensitivity	Low	Medium	High
High	High	Critical	Critical
Medium	Standard	High	Critical
Low	Minimal	Standard	High

Common Mistakes to Avoid

Treating all suppliers the same

Fix: Risk-based approach: focus effort on critical suppliers, streamline for low-risk ones

One-time assessment only

Fix: Annual reviews for critical suppliers, track certification expirations

Accepting questionnaire responses at face value

Fix: Request evidence: certificates, audit reports, policy documents

Ignoring fourth-party risk

Fix: Ask about subcontractors and their security practices

No security clauses in contracts

Fix: Add security requirements to all new contracts, renegotiate at renewal

Example: Supplier Risk Register

Here's what a typical supplier risk assessment looks like:

Supplier	Type	Access	Risk	Certification	Status
CloudCorp ERP	ERP/Accounting	Financial data, invoices	Critical	ISO 27001, SOC 2	Compliant
IT Support Partner	Managed IT	Admin rights, all systems	Critical	CyberFundamentals Important	Review due
HR Software	SaaS	Employee data, payroll	High	ISO 27001	Compliant
Marketing Agency	Service	Website CMS, analytics	Standard	None	Questionnaire sent

Streamline Supplier Security Management

Easy Cyber Protection helps you track supplier assessments, manage questionnaires, and maintain your supplier risk register. Stay on top of third-party risk without spreadsheet chaos.