Run a structured third-party risk (TPRM) assessment: first score the vendor's inherent risk from data sensitivity, level of system access and business criticality, then work through a security control questionnaire (SOC 2 Type II, ISO 27001, MFA, encryption, patching, incident response & breach SLA, BCP/DR, subprocessors and GDPR). The tool combines control score with inherent risk into an overall vendor risk rating and the required actions. Saved in your browser. Exports to Word and a CSV vendor register.
Score each control domain from the vendor's evidence (SOC 2 Type II report, ISO 27001 certificate, SIG / CAIQ responses). Choose the answer that best matches verified evidence.
🔒 This is a defensive third-party risk-management (TPRM) aid reflecting common best practice and questionnaires (Shared Assessments SIG, CSA CAIQ / Cloud Controls Matrix) and evidence types such as a SOC 2 Type II report and an ISO/IEC 27001:2022 certificate (supplier controls 5.19–5.23, formerly Annex A.15). Inherent risk reflects the data sensitivity, access and criticality you assign; the control score reflects only the evidence you record. Everything runs in your browser and is stored only in this device's local storage — nothing is transmitted. It is a working aid, not legal, audit, certification or contractual advice; have a qualified person validate scoring, evidence and contract terms.