Vendor onboarding security is the process of evaluating a new supplier's cyber security controls, data handling practices, and compliance posture before granting them access to your organisation's systems or data. It typically includes tiered risk assessment, security questionnaires, penetration test verification, contractual safeguards, and ongoing monitoring to reduce third-party breach risk.
Why does vendor onboarding security matter more than ever?
A SaaS vendor goes live on your network. Three months later, you discover the vendor has no encryption at rest, no multi-factor authentication (MFA) enforcement, and a penetration test report from two years ago. You have no contractual clause to force remediation. This is not a hypothetical scenario. It is what happens when procurement moves faster than security vetting.
In 2024, 35.5% of all data breaches originated from third-party compromises, up from 29% in 2023 (SecurityScorecard 2025 Global Third-Party Breach Report). Supply chain compromise is the second costliest breach vector at $4.91 million on average, and these breaches take 267 days to identify and contain, longer than any other vector (IBM Cost of a Data Breach Report 2025).
Only 14% of UK businesses review the cyber security risks posed by their immediate suppliers, and only 7% review their wider supply chain (UK Government Cyber Security Breaches Survey 2025).
In April 2025, Marks & Spencer was breached after the Scattered Spider group social-engineered a third-party service desk provider. Attackers convinced support staff to reset a password without proper identity verification. The result: ransomware deployed across M&S VMware servers, operations disrupted across 1,049 stores, online sales suspended, and an estimated daily revenue loss of £3.8 million.
What should a vendor due diligence checklist cover?
A vendor onboarding checklist that asks "Do you have a security policy?" and accepts "Yes" as a sufficient answer is not due diligence. A meaningful checklist covers eight core domains.
The first is security governance: a named Chief Information Security Officer (CISO) or security lead, with a documented policy reviewed within 12 months. The second is data protection, covering data handling, storage, and disposal procedures alongside encryption at rest and in transit. Third, access controls: MFA enforcement across all accounts, plus privileged access management (PAM). Fourth is network and infrastructure security, including penetration testing within 12 months by a CREST-accredited provider. Fifth, incident response, meaning a documented plan with a committed breach notification window. Sixth, business continuity (BC), with tested disaster recovery (DR) and BC plans. Seventh, third-party and fourth-party risk: sub-processor identification and equivalent security assessment. Eighth, contractual protections, including right-to-audit clauses, security service-level agreements (SLAs), and data handling on termination.
The NCSC Supplier Assurance Questions provide a UK-specific framework for structuring these assessments. 51% of organisations fail to assess third parties before granting access, and 41% still use spreadsheets to manage the process (Mitratech 2025).
How do you tier vendors by risk before onboarding?
Not every supplier needs the same depth of scrutiny. A catering supplier accessing only a guest Wi-Fi network presents a different risk profile than a managed IT service provider with domain admin credentials on your Active Directory.
Tiering vendors by risk allows procurement and security teams to allocate assessment resources proportionally. A practical four-tier model works as follows.
Critical-tier suppliers have direct access to sensitive data, core infrastructure, or customer-facing systems. Assessment includes a full security questionnaire, CREST-accredited penetration test evidence, on-site audit, right-to-audit clause, and quarterly reassessment.
High-tier suppliers process personal data or connect to internal networks. Assessment includes a full questionnaire, certification verification (Cyber Essentials Plus, ISO 27001), and annual reassessment.
Standard-tier suppliers have limited data access or system integration. Assessment includes an abbreviated questionnaire and certification check.
Low-tier suppliers have no data access and no network connectivity. Assessment is limited to basic due diligence and contractual terms.
The NCSC Cyber Essentials Supply Chain Playbook recommends defining "supplier security profiles" tailored to your organisation's risk appetite. Under Procurement Policy Note (PPN) 014 (which replaced PPN 09/23 in February 2025), UK government bodies must require Cyber Essentials certification for suppliers handling personal data or IT products, with Cyber Essentials Plus required for higher-risk contracts involving on-site vulnerability testing.
What are the 10 security questions to ask every new supplier?
Generic questionnaires with hundreds of questions produce generic answers. These 10 questions target the specific controls that, when absent, create the conditions for a third-party breach.
- Do you have a named person responsible for information security? A good answer names a CISO or security lead with defined responsibilities. A red flag is "IT handles security" with no named individual.
- Do you hold Cyber Essentials, Cyber Essentials Plus, or ISO 27001 certification? Look for a current certificate with a verifiable number and expiry date. Be wary of expired certificates or "in progress" claims with no target date.
- Do you encrypt data at rest and in transit? Acceptable answers specify AES-256 at rest and TLS 1.2 or above in transit. Vague claims like "we use encryption" with no detail, or no encryption at rest, are red flags.
- Is MFA enforced for all user accounts? MFA should be enforced across all accounts including privileged access. MFA that is optional or not applied to admin accounts is a significant gap.
- When was your last penetration test, and who conducted it? The test should be within 12 months, carried out by a CREST or CHECK accredited provider, with an executive summary available. Tests older than 12 months, from non-accredited providers, or where the vendor refuses to share results should raise concern.
- Do you have a documented incident response plan? The plan should have been tested within 12 months, with a 72-hour notification commitment. No plan, untested plans, or no notification window are all warning signs.
- Have you experienced a data breach in the past 24 months? Transparent disclosure with remediation details is a reasonable answer. Refusal to answer, or evidence of unreported breaches, is not.
- Do you use sub-processors or fourth parties to handle our data? You should receive a named list with security certifications and Data Processing Agreements (DPAs). No specifics or no flow-down of security requirements to sub-processors is a problem.
- What happens to our data when the contract ends? Look for defined return and deletion procedures with certification and timelines. No process or indefinite retention should not be accepted.
- Will you accept a right-to-audit clause? Agreement to audits with reasonable notice is the minimum. Refusal, or audits limited to self-reported questionnaires, should block onboarding.
How should you use the vendor security assessment decision framework?
The following decision matrix translates the checklist into pass/fail criteria that procurement teams can use in evaluation meetings. Where a vendor fails on any red flag item, onboarding should be paused until the issue is resolved.
| Assessment area | What to check | Minimum acceptable evidence | Red flags that should block onboarding |
|---|---|---|---|
| Data encryption | Encryption standards, key management, TLS version | AES-256 at rest, TLS 1.2+ in transit, documented key management | No encryption at rest, TLS 1.0/1.1, no key management |
| Access controls and MFA | MFA enforcement, privileged access management | MFA enforced on all accounts, PAM for admin access | MFA optional, shared admin credentials, no PAM |
| Penetration testing | Last test date, provider accreditation, remediation | Test within 12 months by CREST/CHECK provider, critical findings remediated | Test older than 12 months, non-accredited provider, unresolved criticals |
| Certifications | Cyber Essentials, CE Plus, ISO 27001, SOC 2 | Current certificate with verifiable expiry; CE minimum for government per PPN 014 | Expired, "in progress" with no timeline, unverified equivalence claims |
| Incident response | Written plan, testing frequency, notification timeline | Plan tested within 12 months, 72-hour notification commitment | No plan, never tested, no notification commitment |
| Sub-processor management | Fourth-party identification, contractual flow-down | Named sub-processor list, DPAs in place, security requirements flowed down | Unknown sub-processors, no DPAs, no flow-down |
| Contractual clauses | Right-to-audit, SLAs, breach notification, termination | Right-to-audit accepted, defined SLAs, certified data deletion | Refusal of audit rights, no SLAs, no deletion process |
What UK regulations and frameworks apply to supplier security?
Most vendor management guidance focuses on US-centric frameworks such as SOC 2 and NIST. UK organisations face a distinct regulatory set.
PPN 014 replaced PPN 09/23 in February 2025. It requires UK central government departments, executive agencies, non-departmental public bodies (NDPBs), and NHS bodies to ensure suppliers demonstrate Cyber Essentials or Cyber Essentials Plus for contracts involving personal data, IT products, or higher-risk characteristics. Certification must be renewed annually. NHS Supply Chain began enforcing Cyber Essentials Plus requirements for in-scope suppliers from August 2025.
The NCSC Supply Chain Security guidance follows a four-stage framework: (1) Understand the risks, (2) Establish control, (3) Check arrangements, (4) Encourage continuous improvement. The NCSC Supplier Assurance Questions and Cyber Essentials Supply Chain Playbook are the operational tools for UK organisations.
ISO 27001:2022 (Annex A.5.19 through A.5.22) sets out supplier relationship controls. These require a security policy for supplier relationships (A.5.19), security within agreements (A.5.20), ICT supply chain risk management (A.5.21), and ongoing monitoring (A.5.22). ISO 27001 does not substitute for Cyber Essentials under PPN 014.
Under GDPR Article 28, controllers must use only processors providing "sufficient guarantees." Processing requires a DPA. Processors must notify controllers without undue delay, supporting the controller's 72-hour ICO notification obligation.
Cyber Essentials is the NCSC baseline covering five controls: firewalls, secure configuration, user access control, malware protection, and security update management. Cyber Essentials basic certification starts from £320+VAT. Cyber Essentials Plus, which includes vulnerability testing, starts from £1,400+VAT. Annual renewal is required for both.
How do you build vendor security into contracts before access is granted?
Security requirements that exist only in a questionnaire response carry no contractual weight. When the vendor you onboarded six months ago suffers a breach and you discover there is no notification window, no right-to-audit, and no data deletion obligation in the contract, you have no mechanism to enforce remediation.
The following clauses should be standard in every vendor contract where data access or system connectivity is involved.
Security SLAs define minimum controls the vendor must maintain, such as certifications, MFA, and encryption standards. Tie SLA compliance to contract renewal.
Breach notification windows should require notification within 24 to 72 hours of any security incident affecting your data. This supports your own GDPR Article 28 obligations.
A right-to-audit clause reserves the right to conduct or commission security audits with reasonable notice (typically 30 days), including requesting updated penetration test reports.
Data handling on termination should define data return and secure deletion procedures, including certification of deletion within 30 to 90 days.
Penetration testing frequency clauses require annual penetration testing by a CREST or CHECK accredited provider, with executive summaries shared on request.
Certification maintenance clauses require the vendor to maintain Cyber Essentials, ISO 27001, or other specified certifications throughout the contract, with annual proof of renewal.
Sub-contractor flow-down clauses require equivalent security obligations on any sub-contractors handling your data. The NCSC recommends extending right-to-audit clauses to sub-contractors.
Why are security questionnaires alone not enough?
Security questionnaires are used by 84% of organisations to assess vendor risk (RiskRecon). They are also the weakest link in the assessment process.
Questionnaires capture what a vendor says about their security, not what their security actually looks like. Only 4% of organisations report high confidence that questionnaire responses match reality (RiskRecon, The State of TPRM 2024). Up to 75% of vendors either do not answer questionnaires or fail to respond in a timely manner (Viso Trust). Responses represent a single point in time: a vendor may pass a questionnaire in January and introduce a critical vulnerability in March.
Abandoning questionnaires altogether would be a mistake. They serve as a structured first-pass assessment. But they must be supplemented with independent technical validation: penetration testing evidence, certification verification through registries like the IASME Supplier Check tool, continuous monitoring, and contractual enforcement.
A questionnaire that asks "Do you conduct penetration testing?" tells you what the vendor claims. A CREST-accredited penetration test report tells you what an independent assessor found.
How does penetration testing validate vendor security claims?
The gap between claimed compliance and actual security posture is where breaches happen. In the M&S breach, weak identity verification at the service desk would not have been surfaced by a standard questionnaire.
Independent penetration testing by a CREST-accredited provider verifies that a vendor's stated controls function under adversarial conditions. When evaluating a vendor's pentest report, verify five things.
Provider accreditation should be CREST or CHECK. The NCSC references both schemes for independent testing in the UK.
Scope coverage matters. The test should have covered systems relevant to your data, not just the vendor's public website.
Finding severity should be classified with clear business impact descriptions.
Remediation status is telling. Critical and high findings should be remediated, with retesting evidence available.
Report age is a factor. Results completed more than 12 months ago do not reflect current posture.
Cyber Essentials Plus includes on-site vulnerability testing for baseline assurance. For critical-tier vendors, requiring both CE Plus and a separate external network penetration test scoped to your data gives the strongest evidence of working controls.
How should you monitor vendors continuously after onboarding?
A one-time assessment at onboarding creates a false sense of security. Vendor risk changes continuously as suppliers update systems, onboard their own sub-processors, and face new threats. 70% of third-party breaches involve excessively privileged vendor accounts that were never reviewed after initial provisioning (Censinet).
Scheduled reassessments should run quarterly for critical vendors, annually for high-risk vendors, and on a longer cycle for standard and low-risk suppliers.
Certification expiry tracking is essential. Monitor Cyber Essentials, ISO 27001, and SOC 2 expiry dates. Under PPN 014, Cyber Essentials must be renewed annually. The IASME Supplier Check tool automates this.
Access reviews should examine vendor permissions regularly to enforce least privilege. Remove inactive vendor accounts promptly.
Incident response coordination means including critical vendors in tabletop exercises. Test breach notification procedures before a real incident occurs.
Automated monitoring through attack surface management platforms can track vendor posture between formal assessments, continuously scanning for exposed services, certificate issues, and configuration drift. Only 14% of procurement professionals currently use continuous monitoring tools (Supply Wisdom).
The NCSC's fourth stage of supply chain security, "Encourage continuous improvement," requires ongoing engagement with suppliers, not a one-off check at onboarding.
Frequently asked questions about vendor onboarding security
What should a vendor security questionnaire include? Security governance, data encryption, access controls and MFA, penetration testing history, certifications (Cyber Essentials, ISO 27001), incident response plans, breach history, sub-processor management, and data handling on termination. The NCSC Supplier Assurance Questions provide a UK-specific framework.
How often should you reassess vendor security after onboarding? Quarterly for critical vendors, annually for standard vendors. Track certification expiry dates. Any vendor security incident should trigger immediate reassessment.
Is Cyber Essentials certification required for suppliers in the UK? Under PPN 014 (replacing PPN 09/23, February 2025), Cyber Essentials is required for UK government contracts involving personal data or IT products. Many private sector organisations also use it as a minimum baseline. Cyber Essentials Plus, which includes on-site vulnerability testing, is recommended for higher-risk contracts.
What are the biggest red flags during vendor security due diligence? No encryption at rest, MFA not enforced, penetration testing older than 12 months or by a non-CREST/CHECK provider, refusal to sign a DPA, no incident response plan, vague sub-processor answers, and no right-to-audit clause.
Who is responsible for third-party vendor security risk? Under UK GDPR, the data controller remains responsible when sharing data with processors. In practice, responsibility spans procurement, IT security, legal, and compliance. A RACI matrix should define accountability at each stage of vendor onboarding.