Vendor Security Review
A vendor security review is the process by which an organization evaluates the security and compliance posture of a third-party supplier before onboarding and periodically afterward. It typically combines a security questionnaire, evidence collection (SOC 2, ISO, pen-test summaries), and a documented risk decision with an owner and an audit trail.
Synonyms: vendor security assessment, third-party security review, third-party risk assessment, vendor risk review
A vendor security review is the third-party-risk process that decides whether it is safe to send data to, or depend on, an external supplier. It brings together a security questionnaire, supporting evidence such as SOC 2 or ISO reports and penetration-test summaries, and a reasoned risk decision that a named owner signs off.
Done well, a review is repeatable rather than one-off: each assessment is captured as a governed record — questions answered from cited evidence, exceptions flagged, a decision and approver on file, and a re-review date set. That turns the next annual cycle, or a mid-term change in the vendor’s controls, into an update against an existing record instead of starting from a blank spreadsheet.