Skip to content
Glossary

Vendor Security Review

A vendor security review is the process by which an organization evaluates the security and compliance posture of a third-party supplier before onboarding and periodically afterward. It typically combines a security questionnaire, evidence collection (SOC 2, ISO, pen-test summaries), and a documented risk decision with an owner and an audit trail.

Synonyms: vendor security assessment, third-party security review, third-party risk assessment, vendor risk review

A vendor security review is the third-party-risk process that decides whether it is safe to send data to, or depend on, an external supplier. It brings together a security questionnaire, supporting evidence such as SOC 2 or ISO reports and penetration-test summaries, and a reasoned risk decision that a named owner signs off.

Done well, a review is repeatable rather than one-off: each assessment is captured as a governed record — questions answered from cited evidence, exceptions flagged, a decision and approver on file, and a re-review date set. That turns the next annual cycle, or a mid-term change in the vendor’s controls, into an update against an existing record instead of starting from a blank spreadsheet.

Frequently asked questions

What is the difference between a vendor security review and a security questionnaire?
The questionnaire is one input; the review is the whole process. A vendor security review gathers questionnaire responses plus supporting evidence, assesses residual risk, records a decision and its owner, and schedules re-review — so the questionnaire is the data, the review is the governed workflow around it.
How often should vendor security reviews happen?
Most programs review a vendor at onboarding and then on a risk-based cadence — annually for higher-risk vendors, or when scope, data access, or the vendor's controls change. Keeping each review as an auditable record makes the next cycle a re-check rather than a restart.