A supplier risk assessment is the process of evaluating the security, compliance and operational risks associated with engaging a third-party supplier before and during the business relationship. It typically involves reviewing the supplier's security certifications, policies, incident history, financial stability and data processing practices, often supported by questionnaires, audits or independent assessment reports such as SOC 2.
Supplier risk assessments are a core requirement of ISO 27001 and are increasingly mandated by data protection regulations. Organisations should establish a risk-based tiering system that determines the depth and frequency of assessments based on the criticality and sensitivity of the services provided. Regular reassessment ensures that supplier risk profiles remain current as business relationships and threat landscapes evolve.