Book a call
Menu
763-332-9976
Book a call
Home
/
Services
/
third-party risk
third-party risk

Vendor risk management

Know who has access to your data — and whether to trust them with it. Effectiveness improves significantly with a mature GRC platform vendor module. Pairs best with GRC Configuration or an active vCISO subscription.

Book a scoping call
All services
  • 2–3 weeks (Launch project) · Monthly retainer (Growth+)
  • Vendor inventory · Risk tiering · Fourth-party risk
  • Monthly reports and quarterly board summaries

Your vendors are your risk surface

SOC 2 CC9.2 and ISO 27001 A.15 both require documented vendor risk management. Beyond compliance, vendor risk is a real operational concern — if your critical SaaS vendor has a breach and you have no BAA or security requirements in your MSA, you are exposed in ways that auditors will find and enterprise customers will ask about.

The Launch tier is a one-time project — a foundational vendor inventory and risk tiering. Growth and above are monthly retainers for ongoing vendor monitoring and questionnaire management.

Pricing tiers

Launch · One-time project
$2,200–$4,500
one-time project · 12–24 hrs · 2–3 weeks
Overage: $185/hr · 1 results briefing + 30-day email Q&A
  • Vendor inventory build (all third-party tools and services)
  • Vendor risk tiering (Critical / High / Medium / Low)
  • Initial vendor risk questionnaire (standard template)
  • Top 10 high-risk vendor findings report
  • GRC platform vendor module setup
  • Note: this project feeds directly into the Growth retainer with no duplicated work
Growth · Most popular
$1,800–$3,500
per month · Up to 10 vendor reviews/month · 1–2 week onboarding
Overage: $195/hr · Monthly call + Slack + quarterly summary report
  • Ongoing vendor reviews (up to 10/month)
  • Vendor questionnaire management (send, track, and follow up)
  • Contractual risk review (DPAs, MSAs, security addenda)
  • Vendor risk register maintenance (updated monthly)
  • New vendor onboarding checklist and approval workflow
  • Monthly vendor risk summary report
Scale
$3,500–$7,500+
per month · Up to 25+ vendor reviews/month · 1 week onboarding
Overage: $225/hr · M&A vendor risk: $5K–$15K per target
  • Everything in Growth, plus:
  • Up to 25 vendor reviews per month (unlimited at top of range)
  • Fourth-party risk identification (your vendors’ vendors)
  • Critical vendor deep-dives (annual, Tier 1 vendors)
  • Contract language guidance (SLAs, breach notification, indemnification)
  • HIPAA BAA chain + GDPR sub-processor registry maintenance
  • Annual vendor risk maturity assessment
  • M&A vendor risk review ($5K–$15K per target — scoped separately)

Bundle recommendation

  • Bundle with vCISO Growth — vendor risk becomes part of the monthly security program at a lower combined cost
  • Add HIPAA or GDPR support — vendor contracts require specific data protection clauses under both frameworks

Bundle with vCISO Growth — vendor risk becomes part of the monthly security program.

Vendor contracts require specific data protection clauses under HIPAA and GDPR. We handle both as part of an integrated program.

Talk to a practitioner