THIRD-PARTY SECURITY ASSESSMENT
[ASSESSING ORGANIZATION NAME]
SECTION 1: ASSESSMENT INFORMATION
1.1 Assessment Details
| Field | Information |
|---|---|
| Assessment ID | VRA-[YEAR]-[NUMBER] |
| Assessment Date | |
| Assessment Type | ☐ Initial ☐ Annual Review ☐ Triggered ☐ Renewal |
| Assessor Name | |
| Assessor Title | |
| Review/Approval By |
1.2 Third-Party Information
| Field | Information |
|---|---|
| Vendor/Third-Party Name | |
| Legal Entity Name | |
| DBA (if different) | |
| Primary Contact | |
| Contact Email | |
| Contact Phone | |
| Vendor Website | |
| Vendor Address |
1.3 Engagement Details
| Field | Information |
|---|---|
| Services/Products Provided | |
| Business Owner | |
| Contract/Agreement Reference | |
| Contract Start Date | |
| Contract End Date | |
| Contract Value | $ |
| Renewal Terms |
SECTION 2: RISK CLASSIFICATION
2.1 Data Access and Processing
What types of data will the third party access or process?
☐ No data access (software only, no company data)
☐ Public/non-sensitive data only
☐ Internal business data
☐ Confidential business data
☐ Personal Identifiable Information (PII)
☐ Protected Health Information (PHI)
☐ Payment Card Information (PCI)
☐ Financial data
☐ Intellectual property / trade secrets
☐ Authentication credentials
☐ Other regulated data: _______________________
Estimated volume of records:
☐ <1,000 ☐ 1,000-10,000 ☐ 10,000-100,000 ☐ 100,000-1M ☐ >1M
2.2 System Access and Integration
What level of system access will the third party have?
☐ No access to company systems
☐ Read-only access to non-critical systems
☐ Read/write access to non-critical systems
☐ Access to critical business systems
☐ Administrative/privileged access
☐ Direct network connectivity
☐ API integration
☐ Cloud environment access
☐ Physical facility access
2.3 Business Criticality
How critical is this third party to business operations?
☐ Critical - Business cannot operate without this vendor
☐ High - Significant impact if unavailable
☐ Medium - Moderate impact, workarounds exist
☐ Low - Minimal impact, easily replaceable
2.4 Risk Classification Result
Based on the above factors, this third party is classified as:
| Risk Level | Data Sensitivity | System Access | Criticality | Assessment Depth |
|---|---|---|---|---|
| ☐ Critical | PHI, PCI, high-volume PII | Privileged/critical system access | Critical | Full assessment + on-site |
| ☐ High | PII, confidential data | Direct system access | High | Full questionnaire + evidence |
| ☐ Medium | Internal data | Limited system access | Medium | Standard questionnaire |
| ☐ Low | Public data only | No system access | Low | Abbreviated assessment |
Final Risk Classification: _______________________
Classification Justification:
_______________________________________________________________________________
_______________________________________________________________________________
SECTION 3: SECURITY CERTIFICATION REVIEW
3.1 Security Certifications
Does the third party maintain any of the following certifications?
| Certification | Maintained | Expiration Date | Evidence Reviewed |
|---|---|---|---|
| SOC 2 Type II | ☐ Yes ☐ No | ☐ | |
| SOC 1 Type II | ☐ Yes ☐ No | ☐ | |
| ISO 27001 | ☐ Yes ☐ No | ☐ | |
| PCI DSS | ☐ Yes ☐ No | ☐ | |
| HIPAA (BAA available) | ☐ Yes ☐ No | ☐ | |
| FedRAMP | ☐ Yes ☐ No | ☐ | |
| CSA STAR | ☐ Yes ☐ No | ☐ | |
| Other: ____________ | ☐ Yes ☐ No | ☐ |
3.2 SOC 2 Report Review (if applicable)
| Field | Information |
|---|---|
| Report Type | ☐ Type I ☐ Type II |
| Report Period | to |
| Trust Services Criteria | ☐ Security ☐ Availability ☐ Processing Integrity ☐ Confidentiality ☐ Privacy |
| Opinion Type | ☐ Unqualified ☐ Qualified ☐ Adverse |
| Number of Exceptions | |
| Material Exceptions | ☐ Yes ☐ No |
Exception Summary (if any):
_______________________________________________________________________________
_______________________________________________________________________________
3.3 Bridge Letter (if report is >12 months old)
☐ Bridge letter obtained
☐ Bridge letter confirms no material changes
☐ Bridge letter covers period from _______ to _______
SECTION 4: SECURITY CONTROLS ASSESSMENT
4.1 Governance and Risk Management
| # | Control Area | Rating | Evidence/Notes |
|---|---|---|---|
| 4.1.1 | Is there a documented information security program? | ☐ Yes ☐ No ☐ Partial | |
| 4.1.2 | Is there a designated CISO or security leader? | ☐ Yes ☐ No | |
| 4.1.3 | Are security policies documented and reviewed annually? | ☐ Yes ☐ No ☐ Partial | |
| 4.1.4 | Is there a risk assessment program? | ☐ Yes ☐ No ☐ Partial | |
| 4.1.5 | Are employees required to complete security training? | ☐ Yes ☐ No ☐ Partial | |
| 4.1.6 | Are background checks conducted for employees? | ☐ Yes ☐ No ☐ Partial |
4.2 Access Control
| # | Control Area | Rating | Evidence/Notes |
|---|---|---|---|
| 4.2.1 | Are unique user IDs assigned to all users? | ☐ Yes ☐ No | |
| 4.2.2 | Is multi-factor authentication (MFA) implemented for remote access? | ☐ Yes ☐ No | |
| 4.2.3 | Is MFA implemented for access to customer data? | ☐ Yes ☐ No | |
| 4.2.4 | Is the principle of least privilege enforced? | ☐ Yes ☐ No ☐ Partial | |
| 4.2.5 | Are access rights reviewed periodically? | ☐ Yes ☐ No ☐ Partial | Frequency: _______ |
| 4.2.6 | Is access terminated promptly upon employee departure? | ☐ Yes ☐ No ☐ Partial | SLA: _______ |
| 4.2.7 | Is privileged access managed and monitored? | ☐ Yes ☐ No ☐ Partial |
4.3 Data Protection
| # | Control Area | Rating | Evidence/Notes |
|---|---|---|---|
| 4.3.1 | Is data encrypted at rest? | ☐ Yes ☐ No | Algorithm: _______ |
| 4.3.2 | Is data encrypted in transit? | ☐ Yes ☐ No | Protocol: _______ |
| 4.3.3 | Is customer data segregated from other customers? | ☐ Yes ☐ No | Method: _______ |
| 4.3.4 | Are data loss prevention (DLP) controls implemented? | ☐ Yes ☐ No ☐ Partial | |
| 4.3.5 | Is there a data classification policy? | ☐ Yes ☐ No | |
| 4.3.6 | Are secure deletion procedures in place? | ☐ Yes ☐ No | |
| 4.3.7 | Is personal data handled in compliance with privacy laws? | ☐ Yes ☐ No ☐ Partial |
4.4 Network and System Security
| # | Control Area | Rating | Evidence/Notes |
|---|---|---|---|
| 4.4.1 | Are firewalls implemented and maintained? | ☐ Yes ☐ No | |
| 4.4.2 | Is intrusion detection/prevention deployed? | ☐ Yes ☐ No | |
| 4.4.3 | Are systems hardened according to security baselines? | ☐ Yes ☐ No ☐ Partial | |
| 4.4.4 | Is network segmentation implemented? | ☐ Yes ☐ No | |
| 4.4.5 | Are vulnerability scans conducted regularly? | ☐ Yes ☐ No | Frequency: _______ |
| 4.4.6 | Is penetration testing conducted? | ☐ Yes ☐ No | Frequency: _______ |
| 4.4.7 | Is there a patch management program? | ☐ Yes ☐ No ☐ Partial | SLA: _______ |
4.5 Endpoint Security
| # | Control Area | Rating | Evidence/Notes |
|---|---|---|---|
| 4.5.1 | Is endpoint protection (AV/EDR) deployed? | ☐ Yes ☐ No | Product: _______ |
| 4.5.2 | Are endpoints encrypted? | ☐ Yes ☐ No | |
| 4.5.3 | Is mobile device management (MDM) implemented? | ☐ Yes ☐ No ☐ N/A |
4.6 Physical Security
| # | Control Area | Rating | Evidence/Notes |
|---|---|---|---|
| 4.6.1 | Are physical access controls in place? | ☐ Yes ☐ No | |
| 4.6.2 | Are data centers secured with multi-factor access? | ☐ Yes ☐ No ☐ N/A | |
| 4.6.3 | Is video surveillance implemented? | ☐ Yes ☐ No | |
| 4.6.4 | Are environmental controls maintained? | ☐ Yes ☐ No |
4.7 Business Continuity and Disaster Recovery
| # | Control Area | Rating | Evidence/Notes |
|---|---|---|---|
| 4.7.1 | Is there a business continuity plan? | ☐ Yes ☐ No | |
| 4.7.2 | Is there a disaster recovery plan? | ☐ Yes ☐ No | |
| 4.7.3 | Are regular backups performed? | ☐ Yes ☐ No | Frequency: _______ |
| 4.7.4 | Are backups stored offsite/separately? | ☐ Yes ☐ No | |
| 4.7.5 | Are backup restorations tested? | ☐ Yes ☐ No | Frequency: _______ |
| 4.7.6 | Is DR tested at least annually? | ☐ Yes ☐ No | Last test: _______ |
| 4.7.7 | What is the stated RTO? | ||
| 4.7.8 | What is the stated RPO? |
4.8 Incident Response
| # | Control Area | Rating | Evidence/Notes |
|---|---|---|---|
| 4.8.1 | Is there a documented incident response plan? | ☐ Yes ☐ No | |
| 4.8.2 | Is there a 24/7 incident response capability? | ☐ Yes ☐ No | |
| 4.8.3 | Will customers be notified of security incidents? | ☐ Yes ☐ No | SLA: _______ |
| 4.8.4 | Is there cyber insurance coverage? | ☐ Yes ☐ No | Limit: _______ |
| 4.8.5 | Have there been any breaches in the past 3 years? | ☐ Yes ☐ No | Details: _______ |
4.9 Subcontractor/Fourth-Party Management
| # | Control Area | Rating | Evidence/Notes |
|---|---|---|---|
| 4.9.1 | Does the vendor use subcontractors to process data? | ☐ Yes ☐ No | |
| 4.9.2 | Are subcontractors assessed for security? | ☐ Yes ☐ No ☐ N/A | |
| 4.9.3 | Can a list of subcontractors be provided? | ☐ Yes ☐ No ☐ N/A | |
| 4.9.4 | Will customer be notified of subcontractor changes? | ☐ Yes ☐ No ☐ N/A |
SECTION 5: CLOUD-SPECIFIC CONTROLS (if applicable)
5.1 Cloud Hosting Information
| Field | Information |
|---|---|
| Cloud Service Model | ☐ SaaS ☐ PaaS ☐ IaaS ☐ Hybrid |
| Cloud Provider(s) | ☐ AWS ☐ Azure ☐ GCP ☐ Other: _______ |
| Data Center Locations | |
| Multi-Tenancy | ☐ Single-Tenant ☐ Multi-Tenant |
5.2 Cloud Security Controls
| # | Control Area | Rating | Evidence/Notes |
|---|---|---|---|
| 5.2.1 | Is data location restricted to approved regions? | ☐ Yes ☐ No | Regions: _______ |
| 5.2.2 | Is customer data isolated from other tenants? | ☐ Yes ☐ No | |
| 5.2.3 | Are cloud security best practices followed? | ☐ Yes ☐ No ☐ Partial | |
| 5.2.4 | Is the underlying cloud provider certified (SOC 2, ISO 27001)? | ☐ Yes ☐ No | |
| 5.2.5 | Is there a shared responsibility matrix? | ☐ Yes ☐ No |
SECTION 6: PRIVACY AND REGULATORY COMPLIANCE
6.1 Privacy Compliance
| # | Control Area | Rating | Evidence/Notes |
|---|---|---|---|
| 6.1.1 | Is there a privacy policy? | ☐ Yes ☐ No | |
| 6.1.2 | Is there a designated privacy officer? | ☐ Yes ☐ No | |
| 6.1.3 | Can data subject requests be fulfilled? | ☐ Yes ☐ No | SLA: _______ |
| 6.1.4 | Is the vendor CCPA compliant? | ☐ Yes ☐ No ☐ N/A | |
| 6.1.5 | Is the vendor GDPR compliant? | ☐ Yes ☐ No ☐ N/A | |
| 6.1.6 | Will vendor sign a DPA/BAA if required? | ☐ Yes ☐ No |
6.2 Regulatory Compliance
| Regulation | Applicable | Compliant | Evidence |
|---|---|---|---|
| HIPAA | ☐ Yes ☐ No | ☐ Yes ☐ No | |
| PCI DSS | ☐ Yes ☐ No | ☐ Yes ☐ No | |
| SOX | ☐ Yes ☐ No | ☐ Yes ☐ No | |
| GLBA | ☐ Yes ☐ No | ☐ Yes ☐ No | |
| State Privacy Laws | ☐ Yes ☐ No | ☐ Yes ☐ No | |
| Other: _______ | ☐ Yes ☐ No | ☐ Yes ☐ No |
SECTION 7: FINDINGS AND RECOMMENDATIONS
7.1 Findings Summary
| # | Finding | Severity | Recommendation | Vendor Response | Status |
|---|---|---|---|---|---|
| 1 | ☐ Critical ☐ High ☐ Medium ☐ Low | ☐ Open ☐ Remediated ☐ Accepted | |||
| 2 | ☐ Critical ☐ High ☐ Medium ☐ Low | ☐ Open ☐ Remediated ☐ Accepted | |||
| 3 | ☐ Critical ☐ High ☐ Medium ☐ Low | ☐ Open ☐ Remediated ☐ Accepted | |||
| 4 | ☐ Critical ☐ High ☐ Medium ☐ Low | ☐ Open ☐ Remediated ☐ Accepted | |||
| 5 | ☐ Critical ☐ High ☐ Medium ☐ Low | ☐ Open ☐ Remediated ☐ Accepted |
7.2 Strengths Identified
- _______________________________________________________________________________
- _______________________________________________________________________________
- _______________________________________________________________________________
7.3 Areas of Concern
- _______________________________________________________________________________
- _______________________________________________________________________________
- _______________________________________________________________________________
SECTION 8: ASSESSMENT CONCLUSION
8.1 Overall Security Rating
| Rating | Description |
|---|---|
| ☐ Strong | Controls meet or exceed expectations; minimal findings |
| ☐ Acceptable | Controls are adequate; minor findings that don't materially increase risk |
| ☐ Needs Improvement | Control gaps exist; remediation required before/during engagement |
| ☐ Unacceptable | Significant control deficiencies; engagement not recommended |
8.2 Recommendation
☐ Approve - Proceed with engagement without conditions
☐ Approve with Conditions - Proceed contingent on:
- [ ] Remediation of specific findings
- [ ] Additional contractual protections
- [ ] Enhanced monitoring
- [ ] Other: _______________________
☐ Reject - Do not proceed with engagement
☐ Defer - Additional information/assessment required
8.3 Conditions/Requirements (if applicable)
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
8.4 Next Assessment Date
☐ 12 months (standard)
☐ 6 months (elevated risk)
☐ Other: _______________________
SECTION 9: APPROVALS
9.1 Assessor Certification
I certify that this assessment has been conducted in accordance with [ORGANIZATION NAME]'s third-party risk management procedures and that the findings and recommendations accurately reflect the vendor's security posture.
Assessor Name: _______________________________
Signature: _______________________________
Date: _______________________________
9.2 Security Review
Security Reviewer: _______________________________
Title: _______________________________
Signature: _______________________________
Date: _______________________________
Comments:
_______________________________________________________________________________
9.3 Business Owner Acknowledgment
I acknowledge the findings of this assessment and accept responsibility for managing the identified risks.
Business Owner: _______________________________
Title: _______________________________
Signature: _______________________________
Date: _______________________________
9.4 Final Approval (for Critical/High-Risk Vendors)
Approver: _______________________________
Title: _______________________________
Signature: _______________________________
Date: _______________________________
Decision: ☐ Approved ☐ Approved with Conditions ☐ Rejected
ATTACHMENTS
☐ SOC 2 Report (or summary)
☐ ISO 27001 Certificate
☐ Penetration Test Summary
☐ Insurance Certificate
☐ Data Processing Agreement
☐ Subprocessor List
☐ Other: _______________________________
DOCUMENT CONTROL
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | [DATE] | [NAME] | Initial version |
This assessment is confidential and intended for internal use only. Distribution outside [ORGANIZATION NAME] requires approval from the Security Team.
SOURCES AND REFERENCES
- NIST SP 800-161 Rev. 1, "Cybersecurity Supply Chain Risk Management Practices" (May 2022)
- NIST Cybersecurity Framework 2.0 (Feb. 2024), GV.SC Supply Chain Risk Management
- ISO/IEC 27001:2022, Information Security Management Systems
- CIS Controls v8, Control 15: Service Provider Management
- OCC Bulletin 2023-17, "Third-Party Relationships: Risk Management Guidance" (June 2023)
- FFIEC IT Examination Handbook, "Outsourcing Technology Services"
- AICPA SOC 2 Trust Services Criteria
- PCI DSS v4.0, Requirement 12.8 (Third-Party Service Provider Management)
- HIPAA Security Rule, 45 CFR § 164.314 (Business Associate Requirements)
This template is provided for informational purposes only and does not constitute legal advice. Consult qualified legal counsel before use.
About This Template
Jurisdiction-Specific
This template is drafted for general use across all U.S. jurisdictions. State-specific versions with local statutory references are also available.
How It's Made
Drafted using current statutory databases and legal standards for compliance regulatory. Each template includes proper legal citations, defined terms, and standard protective clauses.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: April 2026