Free supplier risk management tool. Score vendor security, financial stability and compliance. Flag high-risk suppliers instantly with a prioritised remediation plan.
A vendor risk assessment is a structured way of judging how much risk a third-party supplier creates for your organisation, and whether that risk is being managed. It looks at the supplier's own security, the data and access they have, your contract with them, where your data lives, how dependent you are on them, and who sits behind them. This tool scores one supplier across all of those areas and gives you a single 0 to 100 result.
A supplier security questionnaire is a list of questions you send to the supplier for them to answer about themselves. This assessment is the other half of the job: it scores how well you, the buyer, are managing that relationship, including whether you have a contract, a data processing agreement, evidence of their security, and a plan if they fail. The two work together. Use this to find the gaps, then a questionnaire to fill them.
The seven dimensions map to the supplier and cloud controls in ISO/IEC 27001:2022, specifically Annex A 5.19 to 5.23, the NCSC's supply chain security principles and Cyber Assessment Framework Principle A4, the Cyber Essentials scheme and its Supply Chain Playbook, and the controller and processor duties in UK GDPR Article 28. The methodology note at the end lists each one and how it is used.
Each of the twenty-one questions scores from 1 for the weakest answer to 4 for the strongest. We add up your answers, subtract the minimum possible score so the floor is a true zero, and convert the result to a 0 to 100 scale. Each of the seven dimensions is scored the same way, so you can see exactly which areas pull your supplier's risk up or down. There is no hidden baseline; a genuinely unmanaged supplier can score zero.
Not equally. Good practice, and what ISO 27001 and the NCSC both expect, is a risk-based, tiered approach: put your effort into the suppliers that hold the most data, have the most access, or are hardest to replace. Run this assessment for your most critical suppliers first. The result will also tell you whether you are matching scrutiny to how critical the supplier actually is.
Fourth parties are the suppliers sitting behind your supplier: the sub-processors, hosting providers and tools they rely on to deliver your service. They matter because a failure or breach several steps down the chain can still reach your data, and under UK GDPR your supplier's sub-processors are still your accountability. Most organisations have no visibility past their direct supplier, which is exactly where this assessment pushes you to look.
Concentration risk is the danger of relying too heavily on a single supplier, so that if they fail, a large part of your organisation stops working. It is a growing regulatory concern: the FCA, PRA and Bank of England have introduced a regime for critical third parties to the UK financial sector precisely because of it. Even outside financial services, knowing what would break if a key supplier disappeared, and having an exit plan, is now basic resilience.
No. A strong score means you are managing this relationship well as you have described it, based on your answers. It is a board-ready signal and a starting artefact, not an audit of the supplier or a guarantee. The supplier's actual security still needs independent evidence, and the assessment is only as accurate as the answers you give. Treat a high score as confidence to proceed, not as certification.
No. This is a free self-assessment to help you see where a supplier relationship is exposed and where a deeper review would pay back. It is not a substitute for a formal supplier audit, an ISO 27001 certification, a penetration test, or legal advice on your contracts and data processing agreements. Starkhorn is an independent advisory consultancy; we do not sell certification, insurance, software or supplier-introduction commission.
Your assessment runs in your browser and the result is shown on screen. We do not ask for, or capture, the supplier's name. To see your full result we ask for your name, work email, organisation and consent, so we can send you a copy and occasional relevant guidance. We do not sell your data, and you can unsubscribe at any time. See our privacy policy for the detail.