Vendor risk management for SMBs: a practical framework

Every SaaS subscription is a slice of risk you're outsourcing. How do you decide which of your 30 vendors actually deserve closer attention?

Vendor risk (or third-party risk) is the risk that a supplier causes problems for your business: a data breach, downtime, or a compliance issue. As an SMB, you simply can't give all 30 of your vendors the same level of scrutiny.

Tier classification

\n
• Tier 1 — critical: processes personal data or is business-critical. M365, accounting, CRM, hosting.
\n
• Tier 2 — important: supports key processes and has access to business data. Slack, design tools, payroll.
\n
• Tier 3 — low risk: standalone tools with no customer data or essential role. LinkedIn Premium, video-editing tools.
\n

Requirements per tier

\n
• Tier 1: ISO 27001 or SOC 2 report (reviewed annually), DPA, uptime SLA, incident-notification agreement.
\n
• Tier 2: DPA, basic security attestation.
\n
• Tier 3: privacy policy check only.
\n

Annual vendor review

\n
1. Update the vendor list from your SaaS inventory.
\n
2. Review Tier 1 vendors: is their certification still current? Any new sub-processors? Any incident history?
\n
3. Spot-check Tier 2: is the DPA still up to date?
\n
4. Report findings to management.
\n

Onboarding a new vendor

\n
• Determine the tier before signing the contract.
\n
• Tier 1 vendors: conduct due diligence upfront (trust page, security questionnaire, references).
\n
• Tier 2–3: standard DPA and privacy check.
\n

See also: SaaS inventory, DPAs.