See Your Rating
Request a Demo
menu
Vendor Risk Management

Vendor Due Diligence Checklist: 31 Steps to Selecting a Third Party

Kim Johnson | April 23, 2019

Due diligence processes for vendor procurement vary by company, industry, and region. Some regulatory bodies dictate due diligence practices, and some industry groups have adopted standardized processes. In addition, requirements may change based on the type of vendor being assessed.

While there is no universal standard, there are certain pieces of information which all procurement and risk professionals should consider gathering while conducting vendor due diligence.

We’ve compiled this vendor due diligence checklist as an overview of the types of information that should play a role in procurement decision making. Not every item in this list is a necessity, but the more you complete, the more thoroughly you’ll be able to mitigate risk in the vendor selection process.

Third-Party Vendor Due Diligence Checklist

Basic Company Information

Collecting this information helps ensure that the company is (1) legitimate and (2) licensed to do business in your area. You’ll also want to collect information on key personnel for use in further risk assessments.

  • Articles of incorporation (or similar corporate charter)
  • Business license
  • Company structure overview
  • Biographical information of executives and Board members
  • Location (are they located in a high-risk country?)
  • Proof of location, such as photographs or an on-site visit
  • References from credible sources

[Learn how to perform a quantifiable vendor security analysis.]

Financial Information

Assessing financials isn’t as important for vendors as it would be for other due diligence targets, like potential acquisitions. However, you do want to check whether the vendor is financially solvent and paying their taxes. There’s no sense working with a vendor that won’t be in business next month. Conversely, a strong growth pattern could forecast an increase in prices down the line.

  • Tax documents
  • Balance sheets
  • Loans and other liabilities
  • Major assets
  • Compensation structure

Political & Reputational Risk

Vendors that will have access to important information or systems must be subject to an added level of scrutiny. Corruption or political weaknesses could potentially be dangerous, and their scandals could quickly become your scandals.

  • Check the organization against key watch lists, global sanctions lists, and lists published by regulators
  • Check key personnel against politically exposed persons (PEP) lists and law enforcement lists
  • Risk-related internal policies and procedures
  • Reports from agencies like the CFPB
  • Litigation history of company and individuals
  • Negative news reports
  • Complaints and negative reviews

Cyber Risk

Data breaches that originate with third parties are becoming increasingly common, and they rank among the most expensive types of cyber attacks. Though assessing third-party cyber risk is traditionally left until after procurement, there is a strong argument for its inclusion in the due diligence process.

  • BitSight Security Rating
  • Cyber risk assessment questionnaire
  • IT system outline
  • Penetration test results
  • Site visit to assess physical cybersecurity
  • History of data breaches
  • Security awareness testing performance

Operational Risk

As part of the third-party due diligence process, you’ll want to assess whether the vendor is exposed to operational risks that could negatively affect your company. One example of this type of risk would be downtime for a SaaS provider which could impact operations at the organizations in their network.

  • Disaster preparedness plan
  • Business continuity plan
  • BitSight Discover map
  • Employee turnover rates, employee lawsuits, and other indicators of toxic culture
  • Code of conduct

What’s next?

After data is collected, it must then be verified and compared with best practices and your organization’s risk appetite to determine whether a vendor relationship should be pursued.

Many of the items listed above are not limited to the due diligence process. Some, such as BitSight Security Ratings, also play a key role in ongoing vendor monitoring and third-party risk management.

Learn how to use security ratings to create a sustainable and scalable third-party risk management program. Download the ebook now.third-party vendor risk management program

Suggested Posts

Vendor Risk Management

Third-Party Risk Management Best Practices for Enterprise

Kim Johnson | October 8, 2019

Companies are becoming increasingly reliant on third-party relationships, and cyber attacks originating in the systems of third parties are on the rise.

READ MORE »
Third Party Data Breach

Airbus Incident Shines Spotlight on Third-Party Vendor Security Risks

Brian Thomas | October 4, 2019

2019 has been a year of high-profile attacks, and, as we predicted, it’s only getting worse. That’s certainly the case for Airbus.

READ MORE »
Vendor Risk Management

3 Cybersecurity IT Risk Assessment Templates

Brian Thomas | October 3, 2019

This post was originally published January 21, 2016 and has been updated for accuracy and comprehensiveness

READ MORE »
ctab-img-1@2x

CISOs have a tough job.

How can they gain buy-in to improve security program effectiveness?

Read The Guide

Subscribe to get security news and updates in your inbox.

© 2019 BitSight Technologies. All Rights Reserved. | Privacy Policy | Security

Contact Us | BitSight Technologies | 111 Huntington Ave, Suite 2010, Boston, MA 02199 | +1-617-245-0469