1. Document Control

• Document Title: Vendor Risk Assessment Procedure

• Document Identifier: PRC-ALL-002

• Version Number: v1.0

• Approval Date: <24 June 2025>

• Effective Date: <24 June 2025>

• Review Date: <24 June 2026>

• Document Owner: <Vendor Risk Manager>

• Approved By: <Information Security Governance Committee>

2. Purpose

The purpose of this procedure is to ensure that systematically assesses and manages the security and operational risks posed by third-party vendors and service providers. The procedure is designed to evaluate vendor controls, data handling practices, and contractual safeguards before onboarding and throughout the vendor lifecycle.

This procedure supports compliance with SOC 2 Trust Services Criteria CC9.1 and CC9.2 and ISO/IEC 27001:2022 Controls A.5.19 and A.5.20, ensuring that vendors and partners maintain adequate security and risk management practices commensurate with their level of access to company systems or data.

3. Scope

This procedure applies to all third-party vendors, contractors, consultants, cloud providers, SaaS applications, and service organizations that process, store, transmit, or access ’s sensitive data, production systems, or customer information.

It covers all phases of the vendor lifecycle: procurement, onboarding, active engagement, annual review, and offboarding. Internal procurement teams, legal counsel, and business stakeholders are expected to participate in the assessment and monitoring processes.

4. Policy Statement

shall conduct formal risk assessments for all vendors that:

• Have access to confidential, regulated, or proprietary data

• Integrate into production environments

• Handle critical operations or provide infrastructure services

The process shall include:

1. Risk Tiering – Vendors are categorized (Low, Medium, High, Critical) based on access and impact level.

2. Due Diligence – Each vendor must complete a risk questionnaire (e.g., SIG, CAIQ, custom security survey).

3. Documentation Review – Submission of security documentation (SOC 2 Type II, ISO 27001, pen test reports).

4. Contractual Safeguards – Verification of data protection clauses, SLAs, breach notification terms, and audit rights.

5. Approval Workflow – Risk ratings and documentation are reviewed by Legal, InfoSec, and Business Owner prior to engagement.

6. Ongoing Monitoring – Annual reassessment and event-driven reviews triggered by incidents, breaches, or scope changes.

5. Safeguards

6. Roles and Responsibilities

• Vendor Risk Manager: Oversees the assessment process, maintains the risk register, and coordinates reassessments.

• Procurement Team: Ensures vendors undergo risk review prior to contract execution.

• Business Owner: Defines vendor scope, usage, and confirms business justification.

• Information Security Team: Reviews security documentation, evaluates risks, and recommends mitigation.

• Legal Counsel: Reviews contract terms for security, privacy, liability, and compliance clauses.

• Third-Party Vendor: Provides all required documentation, completes assessments, and complies with ’s security standards.

7. Compliance and Exceptions

All vendor engagements must pass risk assessment and obtain documented approval prior to onboarding. Procurement may not finalize contracts for vendors classified as “High” or “Critical” without security review and signed approval.

Exceptions must be documented using the Vendor Risk Exception Form, signed by the Business Owner and approved by the Chief Risk Officer or their delegate. Each exception must include compensating controls and a review date not to exceed 12 months.

8. Enforcement

Failure to comply with this procedure—such as bypassing vendor assessment, ignoring remediation obligations, or using unvetted services—may result in disciplinary action for employees and contract penalties for vendors.

reserves the right to suspend or terminate vendor access upon discovery of significant, unresolved risks or breaches of contractual obligations.

9. Related Policies/Documents

• POL-ALL-015: Vendor Management Policy

• PRC-ALL-001: Risk Assessment Procedure

• POL-ALL-005: Information Security Policy

• ISO/IEC 27001:2022 Controls A.5.19, A.5.20

• SOC 2 Criteria: CC9.1 (Vendor Risk Management), CC9.2 (Contractual Obligations)

• Vendor Risk Tiering Matrix

• Vendor Risk Questionnaire

• Vendor Offboarding Checklist

10. Review and Maintenance

This procedure shall be reviewed annually or upon changes to the third-party risk management program. The Vendor Risk Manager is responsible for initiating and coordinating this review and ensuring that related forms and tools are updated accordingly.