PolicyForge
All posts
5 min

How to write a vendor (third-party) security policy

A vendor security policy governs how you assess and monitor suppliers who touch your data. Here is what to include — due diligence, DPAs, monitoring — with a free template.

Why third-party risk is now front and centre

Most breaches now arrive through a supplier. A vendor security policy defines how you vet, contract with and monitor the third parties who process your data or run your critical systems — and regulators (NIS2, DORA) increasingly require it.

What to include

  1. Scope — which suppliers are in scope, tiered by the risk they carry.
  2. Due diligence — security questionnaires, certifications (ISO 27001, SOC 2), and review before onboarding.
  3. Contracts — security clauses, a GDPR Article 28 Data Processing Agreement, breach-notification obligations and right to audit.
  4. Risk tiering — heavier scrutiny for suppliers with access to sensitive data or critical operations.
  5. Ongoing monitoring — periodic reassessment, not a one-off check at signing.
  6. Offboarding — data return or deletion, and access revocation when a contract ends.
  7. Register — maintain an up-to-date inventory of suppliers and their risk.

Common mistakes

  • Assessing a vendor once at signing and never again.
  • No DPA in place with processors, a direct GDPR gap.
  • No supplier register, so no one knows who has access to what.

Framework alignment

Maps to ISO 27001:2022 Annex A 5.19–5.22 (supplier relationships), the SOC 2 criteria, and supports NIS2 and DORA third-party risk requirements.

Generate it in minutes

See a sample vendor security policy or generate yours free.