Skip to main content
Lean Security
vendor-security compliance checklist

Vendor Security Checklist: What to Ask Before Signing

Charles Green

Charles Green

· 1 min read

Vendor Security Checklist: What to Ask Before Signing

Your vendors have access to your data, your systems, and your customers. A security breach at a vendor can become your problem fast.

Use this checklist to evaluate vendors before you sign.

Security Certifications

Start with the basics:

  • [ ] SOC 2 Type II - Verified security controls over time
  • [ ] ISO 27001 - Information security management
  • [ ] HIPAA - Required for healthcare data
  • [ ] PCI DSS - Required for payment data

Ask for current certificates, not promises of future compliance.

Data Security

Understand how your data is protected:

  • [ ] Encryption at rest - AES-256 or equivalent
  • [ ] Encryption in transit - TLS 1.2+
  • [ ] Data residency - Where is data stored?
  • [ ] Data retention - How long is data kept?
  • [ ] Data deletion - Can you request deletion?

Access Controls

Limit who can access your data:

  • [ ] Role-based access - Principle of least privilege
  • [ ] MFA required - For all users
  • [ ] SSO support - Centralized authentication
  • [ ] Audit logging - Track who accessed what

Incident Response

Know what happens when things go wrong:

  • [ ] Incident response plan - Documented procedures
  • [ ] Notification timeline - How fast will you be told?
  • [ ] Contact information - 24/7 security contact
  • [ ] Post-incident reports - Root cause analysis

Third-Party Risk

Your vendor's vendors matter too:

  • [ ] Subprocessor list - Who has access to your data?
  • [ ] Fourth-party assessment - How do they vet their vendors?
  • [ ] Change notification - Will you be told of new subprocessors?

Continuous Monitoring

Don't just check once:

  • [ ] Penetration testing - Annual third-party tests
  • [ ] Vulnerability scanning - Regular automated scans
  • [ ] Security questionnaire - Annual updates

Automate Vendor Security

Manually checking vendor security is time-consuming and error-prone. Vendor Watch monitors your vendors continuously, alerting you to:

  • New data breaches
  • Compliance changes
  • Security score updates

Learn more about Vendor Watch and automate your vendor security monitoring.

Share this article

Twitter LinkedIn