Free Download · Vendor / TPRM Assessment
The complete vendor risk assessment checklist
Twenty-eight due-diligence domains aligned to Shared Assessments SIG Lite + SIG Core, with CSA STAR cross-mapping, 4th-party / sub-processor coverage, and NYDFS Part 500.11 + EU DORA Article 28 + OCC Heightened Standards alignment. Built for CISOs, vendor risk managers, procurement, and internal audit running TPRM at scale without a 200-question intake every vendor abandons.
No credit card · No call required · Instant link
What's inside
Twenty-eight due-diligence domains, organized the way regulators review them
The checklist is structured around the eight risk domains every TPRM program is held to during a NYDFS, OCC, EBA, or DORA exam, with each line mapped to its SIG Lite question, SIG Core deep-dive, and CSA STAR control reference so a single completed line satisfies all three frameworks.
Onboarding
Vendor Onboarding · Intake + Tiering
- ONB-1 · Business justification + sponsor accountability
- ONB-2 · Criticality tiering (Tier 1 / 2 / 3) by data sensitivity + spend + replaceability
- ONB-3 · Right-sized due-diligence depth driven by tier
- ONB-4 · Master-services + DPA + BAA + SLA contract terms reviewed
Information Security
SIG Lite · Information Security
- IS-1 · SOC 2 Type II + ISO 27001 attestations on file (date, scope, exceptions)
- IS-2 · Encryption in transit (TLS 1.2+) and at rest (AES-256) for all customer data
- IS-3 · Identity + access management (MFA, least privilege, quarterly reviews, JML)
- IS-4 · Vulnerability + patch management (cadence, CVSS thresholds, pen-test annually)
- IS-5 · Incident response (24-hour notification clause + breach playbook)
Privacy
GDPR Art 28 · Privacy + Data Protection
- PR-1 · GDPR Article 28 Data Processing Agreement signed + reviewed annually
- PR-2 · Data classification + minimization (only the fields actually needed)
- PR-3 · Sub-processor disclosure list (current, public, change-notification clause)
- PR-4 · Cross-border transfer mechanism (SCCs, UK IDTA, adequacy decision, DPF)
Resilience
Operational Resilience
- OR-1 · Business Continuity Plan (RTO + RPO documented, tested annually)
- OR-2 · Disaster Recovery (multi-region, tested failover, evidence available)
- OR-3 · Financial stability (D&B / Bloomberg, going-concern signals)
Compliance
Compliance + Regulatory
- CO-1 · Regulatory disclosures + ongoing license, certification, registration status
- CO-2 · Sanctions + watchlist screening (OFAC, UN, EU, UK consolidated)
- CO-3 · Beneficial ownership + UBO disclosure (FinCEN CTA, AMLD6)
Sub-processor
DORA Art 28 · 4th-Party / Sub-processor Risk
- 4P-1 · Downstream processor disclosure (full chain, not just Tier 1)
- 4P-2 · Audit-rights cascade (your right to audit flows down the chain)
- 4P-3 · Concentration risk in the chain (multiple vendors, same hyperscaler)
Performance
Performance + SLA
- PF-1 · SLA monitoring (uptime, response, resolution; credits + remedies)
- PF-2 · Escalation path + named relationship owner on both sides
- PF-3 · Exit + offboarding (data return, deletion certificate, transition plan)
Concentration
Concentration + Aggregation Risk
- CR-1 · Vendor concentration (% of critical processes on a single vendor)
- CR-2 · Geographic concentration (region, country, data-residency exposure)
- CR-3 · Single-source dependencies (no viable alternate, switching cost > 12 mo)
The PDF appendix includes the Tier 1 / 2 / 3 rubric (data sensitivity × spend × replaceability) and the three-lens concentration-risk worksheet that satisfies OCC Heightened Standards Appendix D and EU DORA Article 29. 22 pages total.
Why use this checklist
Built for the regulator, the questionnaire, and the 5,000-vendor inventory
TPRM doesn't scale on spreadsheets. The average enterprise now manages 5,000+ vendors, and the Shared Assessments SIG question set runs to 850+ items in SIG Core (with 350+ in SIG Lite). Sending a flat 200-question intake to every vendor is how programs end up with 38% completion rates and zero usable risk scores. The checklist is organized around the eight domains every regulator reviews, with tiering rules so Tier 3 logo vendors get a 4-control intake and Tier 1 cloud-infra vendors get the full SIG Core. That's the difference between a TPRM program that finishes and a backlog that never closes.
4th-party risk is where the breach actually lives. More than 60% of reported third-party breaches now involve a sub-processor or downstream vendor, the entity your direct vendor depends on, not the one you contracted with. The checklist forces sub-processor disclosure, audit-rights cascade, and concentration analysis at the chain level, not just Tier 1. The same logic underpins the EU DORA Article 28 requirements on ICT third-party risk and the NYDFS Part 500.11 third-party service provider security policy that every covered financial institution must maintain.
Regulators are converging. NYDFS Part 500.11 (Third Party Service Provider Security Policy), EU DORA Article 28 (ICT third-party risk in financial services, in force January 2025), and the OCC Heightened Standards (Appendix D guidelines for large banks) now require risk-based tiering, ongoing monitoring, exit strategies, and concentration analysis. The checklist mirrors that converged expectation in one document, so a single completed assessment satisfies a NYDFS examiner, a DORA audit, and an OCC matters-requiring-attention follow-up without three different intakes.
Who is it for
Three roles, one checklist
CISO + Vendor Risk Manager
Owns the third-party security policy required by NYDFS Part 500.11, NIST SP 800-161 supply-chain risk, and the SOC 2 / ISO 27001 attestation review queue across 1,000+ vendors.
Outcome · Walk into the next NYDFS or DORA exam with a tiered, evidenced inventory and a 4th-party chain that's actually documented, not a spreadsheet of expired SOC 2 dates.
Procurement + Strategic Sourcing
Owns vendor onboarding, contract terms, and the right-sized due-diligence depth that keeps Tier 3 logo intakes at 4 controls and Tier 1 cloud-infra intakes at full SIG Core.
Outcome · Replace the 200-question PDF every vendor abandons with a tiered intake that closes in days, not months, and feeds the same evidence into legal, security, and finance.
Compliance + Internal Audit
Owns the regulatory cross-walk between SIG, CSA STAR, NYDFS Part 500.11, EU DORA Article 28, OCC Heightened Standards, and GDPR Article 28 sub-processor disclosure.
Outcome · Use the checklist as the readiness diagnostic that gates the formal TPRM audit, with a single mapping to all six frameworks instead of one per regulator.
Common questions, answered
What's in the checklist, how SIG Lite vs SIG Core depths apply, CSA STAR cross-mapping, 4th-party / sub-processor coverage, NYDFS Part 500.11 + EU DORA Article 28 alignment, and concentration-risk scoring.
Related
Keep going
Beyond the checklist
Run TPRM + ISO + SOC 2 on one platform?
The PDF is the readiness diagnostic. The platform runs continuous TPRM with risk-based tiering, SIG + CAIQ + NIST 800-161 question libraries, SOC 2 auto-parsing, breach + sanctions monitoring, and 39 other framework libraries (ISO 27001, SOC 2, NYDFS Part 500, DORA, GDPR, NIST CSF, and the rest) across every vendor and sub-processor, with the same evidence trail your auditors and examiners already accept.
Or call US: +1 941-500-4525