← All templates
Risk · Policy template

Third-Party / Vendor Risk Policy

Supply-chain risk is a growing audit focus. This template covers due diligence, contracts and ongoing monitoring.

FreeGet the "Third-Party / Vendor Risk Policy" template

We'll email you a copy and occasional practical compliance guidance. No spam — unsubscribe anytime.

[Organisation] · Third-Party / Vendor Risk Policy
Version 1.0 · Owner: [Role] · Approved: [Date] · Classification: Internal

Purpose

To manage the security and compliance risks introduced by vendors and other third parties.

Scope

Applies to any third party that accesses, processes or stores [Organisation] data or connects to its systems.

Policy statements

  • Vendors are risk-assessed before onboarding, proportionate to the data and access involved.
  • Contracts include security, confidentiality, data-protection and breach-notification obligations.
  • Vendor access follows least privilege and is reviewed periodically.
  • Higher-risk vendors are reassessed on a defined cadence and on material change.
  • Vendor offboarding includes access revocation and data return or destruction.

Review

Reviewed annually and after any significant vendor incident.

Template provided by CyberSigma for adaptation. Replace bracketed placeholders and tailor to your environment before adopting. This is guidance, not legal advice.

Want this tailored and audit-ready?

Our CERT-In empanelled auditors can build your full policy set and align it to PCI DSS, ISO 27001, SOC 2 or DPDP.

Talk to our team →