Personalised Threat Report

Supplier Security Onboarding Checklist

42 checks to vet every vendor before they touch your network. Based on NCSC guidance, ISO 27001:2022, GDPR Article 28, and PPN 014. Includes risk tiering model, red flag reference, and printable vendor assessment form.

Access Resource

Complete the form below to receive the Supplier Security Onboarding Checklist directly in your inbox.

By clicking "Request Access", you agree to our privacy policy and to receive communications regarding this resource.

The Supply Chain Threat

Your Suppliers Are Your Attack Surface

Third-party suppliers now account for over a third of all data breaches. Most organisations have no structured process for vetting the vendors who access their systems, data, and infrastructure.

0%

Third-Party Breaches

Of all data breaches in 2024 originated from third-party compromises (SecurityScorecard 2025).

$4.91M

Average Cost

Average cost of a supply chain breach, the second costliest breach vector (IBM 2025).

0 days

Detection Time

Average time to identify and contain a third-party breach. Longer than any other vector.

0%

UK Readiness

Of UK businesses formally review supplier cyber risks before onboarding (DCMS 2025).

What You Get

42 checks across 10 sections. Print it. Pin it to the wall. Use it every time you onboard a vendor.

42 CHECKS

Every check a procurement or IT team should complete before granting vendor access. Grouped by security domain.

RISK TIERING MODEL

Four-tier classification (Critical, High, Standard, Low) with defined assessment depths for each tier.

RED FLAG REFERENCE

Quick-reference table mapping green flags to red flags across 7 security domains. Know when to stop onboarding.

MATURITY SCORING

Score each section as Mature, Developing, or Critical Gap. See exactly where your vendors are strong and where the risks are.

ASSESSMENT FORM

Printable vendor assessment summary with section scores, findings, decision checkboxes, and sign-off fields.

REGULATORY MAPPING

Aligned to NCSC Supplier Assurance, ISO 27001:2022, GDPR Article 28, PPN 014, DORA, and NIS2.

10 Sections. Zero Gaps.

Every domain of vendor security covered, from initial classification to post-onboarding monitoring.

1

Risk Tier Classification

4 checks

Critical, High, Standard, Low

2

Security Governance

5 checks

CE, ISO 27001, named security lead

3

Data Protection

6 checks

Encryption, MFA, data residency

4

Access Controls

3 checks

RBAC, PAM, leavers process

5

Technical Security

6 checks

Pentest, vuln management, EDR

6

Incident Response

4 checks

Plan, testing, notification SLAs

7

Business Continuity

2 checks

RPO/RTO, backup testing

8

Third-Party Risk

3 checks

Sub-processors, fourth-party risk

9

Contract Clauses

7 checks

Audit rights, breach clauses, deletion

10

Post-Onboarding

2 checks

Reassessment, cert tracking

Onboarding a vendor next week?

If you can only do three things, do these. They would have prevented the majority of third-party breaches in the last two years.

1

Verify Cyber Essentials

Check at iasme.co.uk, not by trusting a logo on their website. A lapsed certificate is the same as no certificate.

2

Ask for the CREST pentest report

Dated within 12 months. Relevant to the services they provide you. Critical findings remediated with evidence.

3

Confirm MFA is enforced

Not available. Enforced. On all accounts, including administrator accounts. 70% of third-party breaches involve excessively privileged vendor accounts.

Who is this checklist for?

  • IT Directors managing supplier access to company systems
  • CISOs building or formalising a vendor risk management programme
  • Procurement leads who need security due diligence before signing contracts
  • Compliance officers preparing for ISO 27001, GDPR, or regulatory audits
  • Anyone who grants vendors access to their data or infrastructure

The Questionnaire Gap

84%

of organisations use vendor security questionnaires

Source: RiskRecon, State of TPRM 2024

4%

have high confidence the answers match reality

Source: RiskRecon, State of TPRM 2024

This checklist helps you ask the right questions. But questionnaires validate claims. They do not verify them independently. To close the gap, you need independent testing.

Download the checklist

Key Insights

The Three Checks That Matter Most

If you are onboarding a vendor next week and can only do three things: verify their Cyber Essentials cert is current, ask for a CREST pentest report dated within 12 months, and confirm MFA is enforced on all accounts. Those three alone would have prevented the majority of third-party breaches in the last two years.

Questionnaires Are Not Enough

84% of organisations use vendor security questionnaires. Only 4% have high confidence the answers match reality. 75% of vendors do not respond on time. The gap between claimed compliance and actual security posture is where breaches happen.

Contracts Are Your Last Line of Defence

Seven clauses every vendor contract needs: right-to-audit, security SLAs, breach notification (24-72 hours), data deletion on termination, annual pentest requirement, certification maintenance, and sub-contractor flow-down obligations.

Frequently Asked Questions

Everything you need to know about the Supplier Security Onboarding Checklist.