Creating + Maintaining a Vendor Management Policy

Learn how to control the security and compliance risks of your company’s third-party relationships with a robust vendor management policy.
Richard Stevenson

by Rick Stevenson

September 01, 2022
Creating + Maintaining a Vendor Management Policy

A vendor management policy defines a consistent process for controlling the risks you face whenever your business works with third parties. Any interactions between your systems and those of your suppliers, customers, and contractors could open pathways through your security defenses. Controlling these risks improves security and compliance, but only if you plan ahead. 

Here is what you need to know about creating a vendor management policy.

Why Do You Need a Vendor Management Policy? 

Managing internal security risks is second nature to any company. But risks are not limited to your routers and firewalls. 

Ask yourself these questions about your outside vendors:

  • Is someone assigned to manage each vendor we work with?

  • What are my vendors’ risk management practices?

  • Do my vendors comply with privacy and data protection regulations?

  • How many third parties have access to my networks?

  • Could hackers use a third-party network to penetrate our defenses? 

A vendor management policy answers these questions and more. Every third-party relationship falls under consistent security and risk management policies. These policies make verifying your vendors’ security practices and helps to manage the risk within your supply chain.

A more rigorous approach limits vendor access to critical systems while implementing the controls you need to keep those systems safe.


Bringing all third-party relationships under the same management policy makes your business more efficient and lets you proactively address vendor performance. Your assessment of third-party risks gives you and your vendors a chance to close security gaps before beginning the relationship. On-going monitoring lets you spot and mitigate new security gaps before they become more significant issues.

In addition, your company may be subject to regulations that require organizations to manage third-party risks, such as HIPAA, SOC 2, or GDPR. A vendor management policy is the best place to start when trying to comply with these requirements.


Third parties are common sources of security breaches. Hackers stole credit card information from Target by compromising one of the retailer’s HVAC repair contractors. A supply chain attack turned SolarWinds’ network management software into a vector for penetrating networks at government agencies and major enterprises. 

Security breaches are expensive. Target spent millions remediating their networks and settling lawsuits. Businesses and governments may spend billions on repairing damage from the SolarWinds attack. Beyond the monetary impact, a security breach can trigger legal and regulatory consequences with long-lasting effects on your business—not to mention reputational damage and loss of customer trust. 

How to Create a Vendor Management Policy

Traditionally, ownership of a company’s third-party relationships is not centralized. Purchasing oversees suppliers while business units manage their own contractors. IT controls network service providers and cloud platforms. Legal and accounts payable may touch most vendors, but some fly under the radar as shadow IT.

Assembling the right team is the first step toward bringing your third-party relationships under control. You will want to include stakeholders from across your organization, including:

  • IT and security.

  • Legal and compliance.

  • Finance.

  • Business units.

  • Senior leadership.

Auditing your existing vendor relationships is the next step. Identify all contractors, suppliers, and other third parties that do business with any part of the company. Assess each vendor to understand its risk profile:

  • Does it have physical access to our facilities or logical access to our networks?

  • Does it possess and process customer or employee information?

  • What are its security and compliance policies?

  • How dependent are our daily operations on the vendor’s performance?

These and other questions will help you understand the scope and magnitude of your third-party risk. From there, you can begin developing the policies for managing that risk.

What to Include in Your Policy?

Many factors influence a company’s vendor management policies. Industry and geography, for example, determine regulatory compliance. Other factors to consider for your policy include:

Internal Roles and Responsibilities

Your vendor management team’s job does not end once the policy is complete. Assign a vendor manager to each vendor. That person will oversee the vendor’s compliance with your policies and track its business performance. The team will also regularly assess vendor management policies and incorporate lessons learned.

Beyond specifying the core team’s responsibilities, the policy should clearly define how your employees contribute to vendor management. For example, which employees in the legal department evaluate vendor contracts and what are their responsibilities?

Vendor Compliance Criteria

Establish security and risk management criteria for your vendors. Your policies should specify which risks require internal controls and which your vendors must address. Blanket policies may not be appropriate since, for example, only some contractors will have physical access to your networks. Categorizing vendors with shared security risks can balance consistency with efficiency.

Once you bring a vendor on board, you start a continual monitoring and review process. Even a slight change in a vendor’s network could compromise your defenses. Implement controls and monitoring systems appropriate for each vendor. Schedule regular compliance reviews to ensure they meet their service level agreements. 

Your management policies must specify how to disengage from a vendor when a contract ends. Revoke physical and logical access to your company. Recover sensitive information or certify the vendor has destroyed it. Your vendor managers will conduct the final review, finalize payments, and close out the contract.

How to Assess New Vendors

Before signing a contract, you need to know whether a potential vendor meets an acceptable risk threshold. To understand whether the vendor complies with your policies, the vendor management team will perform an assessment. How detailed this assessment needs to be depends on the degree of risk associated with the vendor’s role. 

Vendors who will have limited access to data or networks may present little risk. In that case, the team may ask the vendor to complete a simple questionnaire. Other vendors may integrate their systems with your networks or access personal identifying information (PII) and your company’s sensitive information. 

In that case, your team will need a thorough assessment. These vendors will complete a more detailed questionnaire. They may have to accept security audits, penetration tests, and other methods of confirming the vendor’s security integrity.

Third parties are an under-appreciated source of risk. Their poor security practices could compromise your networks and expose your business to considerable financial, legal, and regulatory consequences. 

Vendor management policies bring third-party risk under control, but only if you have the systems to monitor vendor compliance constantly. Contact Drata for a demonstration of our security and compliance automation platform.

Trusted Newsletter
Resources for you
Image - Drataverse '24 Agenda Preview

GRC Growth: Sneak Peek Into the Drataverse ‘24 Agenda

Join us at RSA

FOMO Alert: Why You Won’t Want to Miss Drata at RSA

Harmonize Announcement

Welcoming Harmonize To the Drata Family

Richard Stevenson
Rick Stevenson
Richard Stevenson is Manager of Compliance Advisory Services at Drata. He advises customers on building sound cybersecurity risk management programs and security policies that meet security compliance requirements. Richard is an AWS Certified Cloud Practitioner, CompTIA CySA+, and Shared Assessment Certified Third-Party Risk Assessor specializing in SOC 2, ISO 27001, NIST 800-53, NIST 800-171, SOX, HIPAA, third-party risk management, and enterprise risk management.
Related Resources
GRC Maturity: Manual Risk Management Programs Fall Behind

GRC Maturity: Manual Risk Management Programs Fall Behind

Asset - Podcast Episode 13

Compliance Uncomplicated Episode 13: Cloud Compliance and Startups

DDRR Recap

A Recap of Drataverse Digital: Risk and Reward


Drata's New NIST AI RMF: A Game-Changer for AI Risk Management