A few months ago, a client called us because their ATS provider had been breached. Candidate CVs, phone numbers, salary expectations, interview notes. All exposed. The first question from their management was “what data did that vendor have access to?” The answer should have been immediate, but instead it took three days of digging through emails and contracts to piece together the full picture.
That’s the problem vendor management solves. It solves practical questions: where does your data go, who has access, and how critical is each vendor to daily operations.
CISO Assistant gives you the structure to track all of this in one place. This guide walks through the process from registering your first vendor to building a complete picture of your supply chain exposure.
Why this matters more than you think
When something goes wrong at a vendor, it becomes your problem. Your cloud provider has an outage, your services go down. Your recruitment platform gets breached, it’s your candidates’ personal data that’s exposed. Your CRM is compromised, your clients’ information is at risk. Even your office cleaning company has physical access to your premises.
Regulators understand this too. ISO 27001 (specifically Annex A.5.19 through A.5.22), TISAX (Chapter 6), GDPR, and NIS2 all require you to manage information security in supplier relationships. The questions they want answered are straightforward: who are your suppliers, what data do they have access to, how critical are they, what security measures do they maintain, and what happens if they fail.
Organize by department first
Before adding individual vendors, set up your domain structure in CISO Assistant. Go to Organization > Domains and create folders for the departments that own vendor relationships.
Your Infrastructure and IT team probably manages cloud providers, hosting, identity management, monitoring, and dev tools. Office Management handles landlords, utilities, cleaning, courier services, and telecom. HR and Recruitment owns recruitment agencies, ATS platforms, job boards, and background check providers. Finance manages banks, accounting firms, legal advisors, audit companies, and insurance. Marketing owns analytics tools, SEO platforms, social media tools, and design software. Sales manages the CRM, sales intelligence, e-signature platforms, and VoIP services. Security handles antivirus providers, SIEM tools, and security consultants. Engineering typically owns design tools, event platforms, and component libraries.
This structure means every vendor has a clear owner, and when something needs attention, you know exactly who to call.
Register your vendors
Go to Third Party > Entities and start adding vendors. This is the core of your vendor inventory and honestly, building it the first time is the most tedious part of the whole process.
For each vendor, you want the full legal name (needed for contracts), a description of what they do for you specifically, the department that owns the relationship, the category of service, the country where they’re headquartered (important for GDPR data transfer rules), their website, and a criticality rating.
| Field | What to enter | Why it matters |
|---|---|---|
| Name | Full legal name | Contracts and legal references |
| Description | What they do for you, specifically | Anyone can understand the relationship at a glance |
| Domain | Owning department | Clear accountability |
| Mission | Service category | Grouping and reporting |
| Country | Headquarters location | GDPR data transfer considerations |
| Reference Link | Company website | Quick reference |
| Default Criticality | 0-4 scale | Risk prioritization |
How to rate criticality
| Level | Meaning | Examples |
|---|---|---|
| 4 - Essential | Operations stop completely without this vendor | AWS, GCP, JumpCloud, 1Password, GitHub |
| 3 - Important | Major disruption, contains significant business data | Slack, Atlassian, Google Workspace, Cloudflare, Datadog |
| 2 - Moderate | Noticeable impact but workarounds exist | Figma, CloudTalk, Apollo.io, ClickUp, Miro, Hotjar |
| 1 - Low | Minor inconvenience, easy to replace | Niche SaaS tools, individual analytics platforms |
| 0 - Minimal | No meaningful operational impact | Non-essential services, free tools |
Working through the vendor list
Take it department by department. In our experience, most organizations underestimate how many vendors they actually have until they start listing them.
Infrastructure and IT is usually the biggest section, often 30 to 40 entities. Think about every service your IT team touches. Cloud platforms like AWS, Azure, and Google Cloud. Identity providers like JumpCloud. Password managers like 1Password. Code hosting on GitHub. Communication through Slack. The entire Atlassian suite. Knowledge bases like Coda and Confluence. Monitoring through Datadog. DNS and domain management with Cloudflare, GoDaddy, or OVH. Docker for containers. AI tools from OpenAI, Anthropic, and Mistral. IDEs from JetBrains. Email services like SendGrid. Automation through Zapier. VPS providers like Hetzner. E-signature with DocuSign. It adds up fast.
Office Management surprises people with its size, typically 15 to 25 entities. Internet providers, electricity, gas, water, landlords for each office, coworking spaces, cleaning services, courier services like UPS and DHL, mobile carriers, office equipment suppliers, postal services.
HR and Recruitment usually has 10 to 20 entities including recruitment agencies, your ATS platform, job posting sites like LinkedIn and Indeed, background check services, occupational health providers, and scheduling tools.
Finance tends to have 10 to 15 entities: banks, invoicing systems, accounting firms, legal advisors, tax consultants, audit firms, insurance providers, and leasing companies.
Marketing has 10 to 15: SEO tools like Semrush, analytics like Hotjar and Piwik Pro, social media management tools, creative software like Adobe, website management, landing page builders, translation tools.
Sales is usually the leanest at 5 to 10: CRM, sales intelligence, lead generation, LinkedIn Sales Navigator, feedback collection.
Register solutions separately from entities
Entities are the companies. Solutions are the specific products they provide you. This distinction matters because one vendor can provide multiple solutions with very different risk profiles.
Microsoft provides Azure (critical infrastructure, criticality 4), Microsoft 365 (important productivity tool, criticality 3), and Teams (bundled with 365). Google provides Google Workspace (criticality 4), Google Cloud Platform (criticality 4), and Gemini AI (criticality 2).
Go to Third Party > Solutions and for each one, link it to the parent entity, write a specific description of what data it touches and what access it has, set its own criticality rating, note whether it stores your data, and mark whether it’s currently active.
The description field matters more here than anywhere else. “Cloud hosting service” tells you nothing about risk. “Cloud infrastructure hosting production systems, client databases, and application data with full data access, where a compromise means exposure of all client data and complete service disruption” tells you everything.
“Password manager” is insufficient. “Stores ALL credentials, API keys, and secrets across the organization, where a compromise equals full access to all connected systems and represents a single point of failure for authentication” makes the risk crystal clear.
“HR platform” means nothing. “ATS storing candidate CVs, personal data including addresses, phone numbers, salary expectations, interview notes, and hiring decisions, containing GDPR-sensitive personal data” gives you and your auditors what they need.
Document your criticality 4 solutions first (cloud infrastructure, identity management, password management, email/productivity, source code). Then work through criticality 3 (communication, project management, CRM, knowledge bases, CDN/DNS, monitoring, e-signature, invoicing) and criticality 2 (design tools, VoIP, sales intelligence, AI tools, automation, analytics).
Assess vendor risk
With your entities and solutions registered, you can think about risk in four dimensions.
For data exposure, ask what kind of data each vendor stores. Do they process personal data where GDPR applies? Could a breach expose client information? Do they have access to your internal systems?
For operational dependency, think about what happens if the vendor goes down for an hour, a day, or a week. Is there a viable alternative? How long would it take to migrate away?
For security posture, check whether the vendor enforces SSO and MFA, whether they hold certifications like ISO 27001 or SOC 2, where they store data geographically, and what their incident response track record looks like. Some vendors are very forthcoming with this information. Others are evasive, and that evasiveness is itself a data point.
For contractual coverage, verify you have an NDA in place, that the contract includes data processing terms, that there are SLA guarantees, and that there’s a clear process for what happens to your data when the contract ends.
Connect vendors to risk scenarios
Your vendor relationships create risk, and you capture this in CISO Assistant by creating assets from your solutions (covered in the asset management guide) and linking those assets to relevant risk scenarios.
A cloud platform like AWS is exposed to unauthorized data access, unauthorized network access, data loss, information leaks, malicious code, unavailability, and operational errors. An ATS like Recruitee faces unauthorized data access, information leak, data loss, and social engineering risks. A CRM like HubSpot is exposed to unauthorized access, information leaks, social engineering, and unavailability.
These connections mean your risk dashboard shows the cumulative exposure from all your vendors combined.
Map vendor controls to compliance
If you’re pursuing ISO 27001 or TISAX, your vendor management practices need to satisfy specific requirements.
For ISO 27001, the relevant requirements are A.5.19 (information security in supplier relationships), A.5.20 (addressing security within supplier agreements), A.5.21 (managing security in the ICT supply chain), A.5.22 (monitoring, review, and change management of supplier services), and A.5.23 (information security for cloud services).
For TISAX, the requirements are 1.3.3 (external IT services evaluated for security), 5.3.3 (return/removal of assets from external IT services), 5.3.4 (information in shared external IT services is protected), 6.1.1 (information security ensured among contractors), and 6.1.2 (non-disclosure agreements with external parties).
Create applied controls like “Suppliers and Services Management Policy” and “Information Security in Supplier Relationships” and link them to these compliance requirements.
Keep the registry alive
Your vendor list changes constantly. New tools get adopted, contracts expire, companies merge. Here’s what actually works for keeping the registry current.
Run a quarterly review where you go through the entire vendor list, remove entries for discontinued relationships, and add any new vendors. Do trigger-based updates whenever a new tool is adopted or a contract is signed. Don’t batch these for later because later never comes. Once a year, do a full reassessment of criticality ratings and descriptions. Tools that were nice-to-have sometimes become critical, and vendor security postures change.
When a vendor reports a breach, update their record immediately and reassess the risk scenarios connected to their solutions. When you stop using a vendor, don’t just delete them. Update the solution to inactive, confirm data deletion or return, and keep the record for audit purposes. Deleting a record feels tidy, but it destroys audit history.
Your supply chain is only as strong as its weakest link. The vendors that cause the most damage in a breach aren’t usually the ones you’d expect. Usually it’s the niche SaaS tool that someone in marketing signed up for, stored client data in, and nobody in security ever knew about. Tracking all your vendors, what they have access to, and how critical they are is what makes the rest of vendor security possible.
For a structured way to score and compare vendor risk profiles, try our free Supplier Risk Assessment tool - it evaluates vendors across six security domains with a downloadable PDF report.
With your vendor registry in place, the next step is creating assets for your most critical solutions and linking them together. Then connect those assets to risk scenarios to see the full picture of your supply chain exposure. If NIS2 supply chain requirements are driving your vendor assessment work, our NIS2 Readiness Assessment covers the full directive scope. When it’s time for certification, our compliance mapping guide shows how to demonstrate supplier management compliance for ISO 27001 and TISAX.
