InfoSecProsHub
Book a call
Menu
763-332-9976
Book a call
Home
/
Services
/
third-party risk
third-party risk

Vendor risk management

Know who has access to your data — and whether to trust them with it. Effectiveness improves significantly with a mature GRC platform vendor module. Pairs best with GRC Configuration or an active vCISO subscription.

Book a scoping call
All services
  • 2–3 weeks (Starter project) · Monthly retainer (Growth+)
  • Vendor inventory · Risk tiering · Fourth-party risk
  • Monthly reports and quarterly board summaries

Your vendors are your risk surface

SOC 2 CC9.2 and ISO 27001 A.15 both require documented vendor risk management. Beyond compliance, vendor risk is a real operational concern — if your critical SaaS vendor has a breach and you have no BAA or security requirements in your MSA, you are exposed in ways that auditors will find and enterprise customers will ask about.

The Starter tier is a one-time project — a foundational vendor inventory and risk tiering. Growth and above are monthly retainers for ongoing vendor monitoring and questionnaire management.

Pricing tiers

Starter
$2,200–$4,200
one-time project · 12–22 hrs · 2–3 weeks
Overage: $185/hr · 1 results briefing + 30-day email Q&A
  • Vendor inventory build (complete audit of all third-party tools and services)
  • Vendor risk tiering (Critical / High / Medium / Low)
  • Initial vendor risk questionnaire (standard template)
  • Top 10 high-risk vendor findings
  • GRC platform vendor module setup (Drata or Vanta)
Growth · Most popular (retainer)
$1,600–$3,200
per month retainer · Up to 10 vendor reviews/month · Onboard: 1–2 weeks
Overage: $195/hr · Monthly review call + Slack + quarterly risk report
  • Everything in Starter
  • Ongoing vendor reviews (up to 10/month)
  • Vendor questionnaire management (send, track, follow up)
  • Contractual risk review guidance (DPAs, MSAs, security addenda)
  • Vendor risk register maintenance (monthly updates)
  • New vendor onboarding checklist and approval workflow
  • Monthly vendor risk summary report
Professional
$3,200–$5,800
per month retainer · Up to 25 vendor reviews/month · Onboard: 1 week
Overage: $195/hr · Quarterly board-ready report included
  • Everything in Growth
  • Up to 25 vendor reviews per month
  • Fourth-party risk identification (your vendors’ vendors for critical-tier)
  • Critical vendor deep-dives (annual, Tier 1 vendors)
  • Vendor security incident monitoring and notification
  • Contract language guidance (security SLAs, breach notification requirements)
  • Quarterly board-ready vendor risk report
  • SOC 2 and ISO 27001 evidence mapping
Enterprise
$5,800–$9,500+
per month retainer · Unlimited reviews · Named advisor · Onboard: 3–5 days
Overage: $225/hr for M&A scope · M&A vendor risk: $5K–$15K per acquisition target
  • Everything in Professional
  • Unlimited vendor reviews
  • Vendor risk program governance documentation
  • Regulatory-specific requirements (HIPAA BAA chain, GDPR sub-processor registry)
  • Vendor risk escalation and remediation workflow
  • Annual vendor risk program maturity assessment
  • Cyber insurance vendor risk documentation

Bundle recommendation

  • Bundle with vCISO Growth — vendor risk becomes part of the monthly security program at a lower combined cost
  • Add HIPAA or GDPR support — vendor contracts require specific data protection clauses under both frameworks

Bundle with vCISO Growth — vendor risk becomes part of the monthly security program.

Vendor contracts require specific data protection clauses under HIPAA and GDPR. We handle both as part of an integrated program.

Talk to a practitioner