Question: Are supplier security assessments performed with evidence review and findings tracked to closure?

Why This Matters

Paper questionnaires alone are insufficient. Evidence-based assessments validate real control operation and drive measurable improvements with partners.

Maturity

0 — Unaware
No structured assessments or evidence review.

1 — Ad Hoc
Unscoped questionnaires; no follow-up.

2 — Defined
Standard assessment packs with evidence requests.

3 — Managed
Findings logged with deadlines and owners.

4 — Integrated
Findings linked to risk register and contract obligations.

5 — Optimized
Continuous assurance via shared dashboards and attestations.

How to Level Up

From → To	Actions
0 → 1	Adopt a baseline questionnaire (security + privacy).
1 → 2	Request artifacts: policies, test reports, certificates.
2 → 3	Create finding log with severity and due dates.
3 → 4	Tie findings to contractual CAPA and risk entries.
4 → 5	Enable periodic re-testing and automated reminders.

Enablers

People: Security Assessor, Vendor Owner, Legal
Process: Request → Review → Record → Remediate
Technology: GRC/TPRM tool, evidence vault, workflow engine

Evidence

Completed assessments with artifacts
Findings/CAPA tracker
Re-assessment records

KPIs

Number of assessments completed this quarter
Percentage of findings closed on time
Average time to close critical findings

Low-Cost / Open-Source Options (MSME)

Purpose	Tool	Notes
Assessments	Google Forms + Drive	Request and store artifacts
Tracker	Airtable / Odoo	Findings and CAPA workflow
Dashboards	Metabase	Aging, closure trend

Common Pitfalls

Accepting certificates without scope review
No verification of remediation
Assessments not repeated at renewal

Compliance Mapping

Standard	Clauses / Notes
ISO/IEC 27001	A.5.19 (Monitoring supplier services)
NIST CSF 2.0	ID.SC-06/07
DPDP Act 2023	Processor assurance and accountability
NIRMATA Mapping	SC-Q04 enforces evidence-backed supplier assurance.