Question: Are supplier risk tiers defined with corresponding security requirements and assessment depth?
Why This Matters
Not all vendors pose equal risk. Tiering ensures proportionate due diligence while conserving time and budget for the highest-impact suppliers.
Maturity
0 — Unaware
No tiering; same checklist for everyone (or none).
No tiering; same checklist for everyone (or none).
1 — Ad Hoc
“Critical” label used inconsistently.
“Critical” label used inconsistently.
2 — Defined
Tiers set by data sensitivity and business impact.
Tiers set by data sensitivity and business impact.
3 — Managed
Depth of assessment and evidence mapped per tier.
Depth of assessment and evidence mapped per tier.
4 — Integrated
Tier automatically assigned via intake questionnaire.
Tier automatically assigned via intake questionnaire.
5 — Optimized
Tiering adapts over time using incident and performance data.
Tiering adapts over time using incident and performance data.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Draft simple criteria: data handled, system access, criticality. |
| 1 → 2 | Approve tiering policy (Critical/High/Standard/Low). |
| 2 → 3 | Define per-tier artifacts (SOC2/ISO, pen test, IR playbook, DPA). |
| 3 → 4 | Automate tier suggestion from intake form responses. |
| 4 → 5 | Recalculate tier quarterly based on events and SLA performance. |
Enablers
- People: Security Assessor, Business Owner, Legal
- Process: Intake → Tier → Assess → Decide
- Technology: Forms/workflow engine, GRC/TPRM, evidence vault
Evidence
- Tiering policy and decision matrix
- Sample vendor records showing tier rationale
- Per-tier requirement checklist
KPIs
- Number of vendors per tier
- Percentage of tier changes detected each quarter
- Percentage of critical vendors with enhanced testing
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Forms | Google Forms + Apps Script | Auto scoring to tiers |
| Register | Airtable | Tier, owner, last review |
| Evidence | Nextcloud | Per-tier folder templates |
Common Pitfalls
- Everyone marked “critical” to skip approvals
- Criteria ignore data residency or privacy scope
- No periodic re-tiering
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001 | A.5.19 (Supplier risk) |
| NIST CSF 2.0 | ID.SC-01/02 |
| DPDP Act 2023 | Processor due diligence proportionality |
| NIRMATA Mapping | SC-Q02 makes risk-based supplier controls actionable. |