Small security team (just 2 of us) — what's the minimum you do for vendor risk assessments
Hey all, looking for some practical, real-world advice on vendor risk assessment. I work at a small company in a non-regulated industry and handle vendor risk assessment as part of my job.
We currently have quite a lot of vendors onboarded and are now starting to think about the risks we may have, but have no idea what we actually need to check before letting a vendor in. What's the stuff you'd feel genuinely uncomfortable skipping, versus the stuff that's just box-ticking that nobody actually uses?
Is there a short questionnaire you've settled on? A handful of contract clauses you always insist on? Specific red flags in vendor responses that make you walk away? Anything that has saved you in hindsight?
We're trying to set up a simple workflow — something where if something goes wrong, we can at least show we did the reasonable and sensible things given our size and constraints.
Appreciate any real-world experience are willing to share. Thanks in advance!