Key Takeaways
- Vendor risk is the dominant supply chain attack vector. SolarWinds, MOVEit, Kaseya, 3CX and many less-publicised incidents all originated through a trusted vendor.
- Vendor classification: tier by data sensitivity and access. Tier 1 (deep access to critical systems / data), Tier 2 (limited access), Tier 3 (minimal data exposure).
- Due diligence questionnaire: standardised questionnaire matched to vendor tier. CAIQ, SIG, custom internal versions all in use.
- Contractual clauses: cyber requirements, audit rights, incident notification, exit data destruction, indemnity.
- Ongoing monitoring: annual reattestation, continuous monitoring services (SecurityScorecard, BitSight, RiskRecon), incident-trigger reviews.
Why Vendor Risk Matters
Modern Indian businesses depend on dozens to thousands of third-party vendors. A typical 200-person Indian SaaS company has 80 to 150 active SaaS vendors. A typical mid-size bank has hundreds of IT vendors. Each is a potential breach vector.
Notable third-party-origin incidents: SolarWinds Orion supply-chain attack (2020), Kaseya VSA ransomware-via-MSP (2021), Log4Shell affecting hundreds of vendors (2021), MOVEit Transfer mass exploitation (2023), 3CX VoIP supply chain (2023), plus many less-publicised incidents at Indian customers. RBI, SEBI, IRDAI and DPDP all now explicitly emphasise third-party cyber accountability.
Vendor Classification by Risk Tier
Not every vendor needs the same due diligence depth. Classify by data sensitivity and access level. Our recommended three-tier model:
Tier 1 (Critical): vendors with deep access to critical systems or sensitive data. Cloud providers, EHR vendors, core banking platforms, payment processors, identity providers, MSSPs. Full due diligence: SIG or equivalent questionnaire, evidence review, on-site or virtual audit, ongoing monitoring.
Tier 2 (Material): vendors with limited access to non-sensitive data or systems. SaaS tools used by departments, communication platforms, productivity SaaS. Standard due diligence: short-form questionnaire, ISO 27001 or SOC 2 attestation, annual reattestation.
Tier 3 (Low risk): vendors with minimal data exposure. Office supplies, facility services, marketing collateral printers. Lightweight due diligence: basic vendor record, contract review.
Need Compliance Programme Help?
Codesecure delivers ISO 27001, SOC 2, PCI DSS, DPDP, HIPAA, GDPR, RBI, SEBI and NIST CSF programmes for Indian businesses. ISO/IEC 27001:2022 certified delivery, named ISO 27001 LA consultants, fixed-price proposals.
See Compliance Services →Due Diligence Questionnaire
Standardised questionnaires reduce friction and improve comparability. Common options: CAIQ (Consensus Assessments Initiative Questionnaire from Cloud Security Alliance), SIG (Shared Assessments Standardized Information Gathering questionnaire, full and Lite versions), internal custom questionnaire mapped to the organisation's specific control library.
Indian organisations commonly use SIG Lite for Tier 2 and SIG Full or custom questionnaire for Tier 1. Tier 3 typically uses a vendor record card without full questionnaire.
Evidence collection beyond the questionnaire: ISO 27001 certificate, SOC 2 report (Type 2 preferred), PCI DSS AOC, HIPAA BAA, recent VAPT summary, IR plan evidence, business continuity testing evidence. Codesecure helps clients structure their TPRM evidence pack to satisfy auditor and inspector expectations.
Contractual Cyber Clauses
Vendor contracts must include cyber-specific clauses. Standard provisions:
Security commitments: required controls (MFA, EDR, encryption, etc.) defined in the contract or by reference to a standard.
Incident notification: vendor notifies customer within X hours of becoming aware of a security incident affecting customer data or systems. X is typically 24 to 72 hours; tighter for regulated entities.
Audit rights: customer right to audit vendor or request third-party audit reports.
Data location: where customer data is stored and processed; restrictions on cross-border transfer where applicable.
Subcontractor approval: vendor must obtain approval before subcontracting customer data processing.
Exit obligations: data return or destruction at termination with certification.
Indemnity: vendor indemnifies customer for losses arising from vendor cyber failure.
Liability cap: realistic cap on vendor liability. Pure cyber damages can exceed liability caps; customer absorbs the excess.
Vendor VAPT and Penetration Testing
For Tier 1 vendors handling sensitive data or providing critical systems, customers increasingly require recent VAPT evidence as part of due diligence. Some customers commission their own pentest of the vendor's environment (with vendor cooperation and contractual right) for the highest-tier engagements.
Codesecure delivers third-party-facing VAPT for vendor environments where the vendor wishes to demonstrate posture to customers, and customer-facing VAPT of vendor environments where the customer has audit rights. The two engagement models produce comparable evidence with different scoping conversations.
Audit Pressure or Customer Questionnaire?
Whether you need a gap assessment, an internal audit, a customer security questionnaire response or a board-ready compliance status, our compliance lead is available for a 30-minute free scoping call.
Talk to a Compliance Lead →Ongoing Monitoring
Vendor cyber posture changes between annual reattestations. Continuous monitoring services (SecurityScorecard, BitSight, RiskRecon, Panorays) score vendor posture based on observable external signals: exposed services, certificate hygiene, DNS configuration, patch posture, breach history, dark web presence.
These services are useful as early-warning indicators but should not replace formal due diligence. Sudden score drops trigger investigation. Trends inform reattestation conversations. Some customers integrate vendor risk scores into vendor management systems.
Triggered reviews: any vendor incident, any reported breach, any significant vendor M&A, any contract renewal. These trigger out-of-cycle reattestation.
Vendor Offboarding Security
Vendor offboarding is often handled by procurement or finance and security gets pulled in late or not at all. The result is access that persists beyond contract end, data that is not destroyed, and orphaned integrations.
Recommended offboarding checklist: confirm all customer data is returned or destroyed with certification, revoke all access credentials and API keys, remove vendor from SSO and IdP, decommission any vendor-controlled infrastructure, archive contracts and evidence, conduct internal review of what worked and what did not.
RBI Master Direction on Outsourcing of IT Services explicitly addresses exit. Regulated entities must demonstrate orderly exit capability for any IT outsourcing arrangement. Inspections sample this.
Frequently Asked Questions
How many vendors should we be doing full due diligence on?
Tier 1 vendors (deep access, critical data) need full due diligence. Typical Indian mid-size enterprise has 20 to 60 Tier 1 vendors. Tier 2 lighter due diligence on 50 to 200 vendors. Tier 3 basic record on the long tail.
Can we share vendor due diligence with peer companies?
Sharing the questionnaire content directly is usually restricted. Shared assessment platforms (SIG Manager, OneTrust, ProcessUnity) host vendor responses that participating customers can access. Some vendors maintain a 'trust portal' with attestation evidence available to all customers under NDA.
How often should we reattest vendors?
Annually for Tier 1, every 1 to 2 years for Tier 2, longer cycles for Tier 3. Plus incident-triggered out-of-cycle reattestation, plus contract-renewal-triggered review.
What if a vendor refuses to provide attestation?
Common with small vendors who do not have formal compliance programmes. Options: accept the risk and document it, find an alternative vendor, or work with the vendor on a phased improvement plan. For Tier 1 vendors, refusal is generally a deal-breaker.
Does Codesecure help vendors demonstrate posture to customers?
Yes. Codesecure delivers vendor-side compliance programmes that produce the attestation pack (ISO 27001, SOC 2, customer-facing security responses) that customer security teams require. Particularly useful for Indian SaaS, IT services and BPO firms growing into enterprise customer bases.
Can Codesecure run our TPRM programme?
Yes. Codesecure delivers TPRM programme design, vendor classification, due diligence operations, ongoing monitoring integration and incident response coordination as managed service or as advisory engagement.
Make Your Supply Chain Stop Being Your Weakest Link
Codesecure delivers third-party risk management programmes for Indian regulated entities and growth-stage businesses. ISO/IEC 27001:2022 certified delivery, named consultants, integrated with RBI, SEBI, IRDAI and DPDP obligations.
