How do you decide which vendors to assess?

We risk-tier vendors by the data and access they have. Critical and high-tier vendors get deeper review; low-risk ones get a lightweight check — so effort goes where it matters.

Do you handle the contract security terms too?

Yes. We provide the security and data-protection clauses your contracts should include, and review vendor terms for gaps.

How often should vendors be reassessed?

By risk tier — critical vendors at least annually or on major change, lower tiers less often. We set the cadence and keep the register current.

Govern

Third-Party & Vendor Risk Management

A vendor's weak security quietly becomes yours.

Start a Conversation See Related Work

The problem

Vendors are onboarded with little scrutiny and never reviewed again — so a supplier's weak security quietly becomes yours.

We build and run a structured third-party risk programme: assess vendors before they're trusted, set the right contract terms, and re-check them on a schedule.

What you get

Concrete deliverables, fixed scope.

TPRM process and vendor risk-tiering model
Vendor security assessments and questionnaires
Security and data-protection contract clauses
Onboarding and offboarding controls for suppliers
Ongoing reassessment cadence by risk tier
Vendor risk register and reporting

How we work

Four steps. No surprises.

Discover

We map what you have, what's broken, and what 'done' looks like — in plain language.

Design

A short scoped proposal. Fixed deliverables, fixed price, no open-ended retainers.

Build

Weekly demos. You see real working software, not status decks.

Operate

Handover with documentation, or stay on for ongoing support — your call.

Where this fits

Three real-world scenarios.

Stand up a TPRM programme

Move from ad-hoc vendor onboarding to a structured, tiered assessment process.

Audit or certification requirement

Demonstrate third-party risk management for ISO 27001, SOC 2, or a customer review.

High-risk supplier review

Assess a critical vendor or processor handling sensitive data before you rely on them.

Questions

Common questions about vendor risk management (tprm).

Explore further

Related practices.

Govern

Security Risk Management

Know your real risks — and what to do about each one.

Learn more

Govern

ISMS & ISO 27001

An information security management system that passes the audit — and actually runs.

Learn more

Govern

Regulatory Compliance (NIS2 / GDPR)

Know exactly which regulations apply to you — and meet them.

Learn more