Choose your topics

What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Third-Party Risk Management, GRC

Tiering 101: The Most Effective Method for Assessing The Right Vendors

Tiering 101: The Most Effective Method for Assessing The Right Vendors
Written by

Ellie Owen

Published on

20 Oct 2021

Tiering 101: The Most Effective Method for Assessing The Right Vendors


In this guide, we’re going to explore vendor coverage and how, through tools such as vendor risk management software, organisations can best identify third-party vendors with a high-risk level.


Vendor coverage is something that all organisations think about; in fact, in 2021, 51% of businesses reported third-party risk incidents. However, with finite resources, it’s difficult to optimise your vendor portfolio through the rigorous assessment of every single supplier – but it can be done. 


To help you set up sustainable, realistic processes, we’ll talk you through a series of tips and best practices.

Where to Start

With a well-organised, efficient vendor risk management process, you can mitigate risks without adding strain to your security team. Achieving this is possible with proper guidance and tools, and the results are undeniable: 


27% of businesses that didn’t have a third-party risk management programme in place suffered high-impact incidents, compared to only 2% of businesses that did.


So how can we achieve these results?

First, you should address whether you have a clear picture of your vendors within your business. If the answer is “no,” this is a great place to start. 


Before any progress can be made in the vendor assessment process, you need to be aware of what suppliers are working with your company and what goods and services they provide you. Without this data, you won’t know what you should be assessing. 


To address this, you should collect a list of your known vendors from procurement and add them to your vendor register. Key information should be recorded, such as the goods and services vendors provide and contact.


Now you have your list; we should address the elephant in the room. 


You won’t be able to assess all your vendors every year without a huge team. Therefore, you should simply aim to get as close to 100% understanding of your vendors while remaining realistic. Often, businesses assess the top 25% of vendors by financial status; this is because the highest risk is usually with the vendors you spend the most money with – as such, we consider that a key factor. 


Although there are different angles to consider, we suggest organisations develop a simple and repeatable strategy to categorise vendors quickly to help with this. This strategy is often called a tiering assessment, which guides us neatly into our Tiering 101.

Defining 100% Coverage

It is critical to understand from the outset that, while you should be aiming to achieve 100% coverage, this doesn’t involve evaluating every vendor. For most companies, an intensive programme of planning, testing, evaluation, and remediation for every vendor, annually, is impossible. But, because tiering provides you with an indicative importance and risk level of the vendor to your business, it allows you to focus your resources on the ones that matter most to your business.


Why are Tiering Assessments Important?

A fit-for-purpose tiering assessment should remove any reliance on “gut feeling,” be consistent and ensure a focus on what matters to the business. 


Your tiering assessment should focus on risk factors that you have identified as having the most potentially critical impact on your business. These factors might include things like:

  • Type and sensitivity level of the data the vendors handle
  • Contract value
  • Level of access to your data, premises, or customers
  • Compliance certifications
  • Any reputational impact they carry


One way to approach the assessment is by using simple scores weighted against your choosing tiering factors, enabling you to rank vendors with increasing trust levels successfully. These levels can be something like InformalTrustedPartner, or Strategic. This will allow your third-party risk team to understand and prioritise their efforts to establish and assure trust.

Setting Up Your Vendor Risk Management Process

You know who the vendors are and have worked out the priorities and activities. 


You now need to create the process to execute this. Every business will have a unique approach that is explicit to its requirements, but most will include the following components.

  • Assess a large proportion of the top-tier vendors every year
  • Ensure all new vendors are being tiered
  • Revisit all tiering assessments every 2 years or with any change to the scope of the engagements
  • Assess the secondary tier every 2-3 years


It is important to note that a one-size-fits-all assessment process simply won’t work. 


You should adjust questions directly to specific vendors, depending on their individual risk profiles. For example, you wouldn’t have any desire to ask a technology vendor the same 50 questions you posed to your office supplier. It’s one of the numerous ways you can tailor tiered assessments to work for your company and significantly lessen its vulnerability.

The Key Takeaway: Vendor Risk Management Software

While 100% assessment of vendors is unrealistic, it is possible to safely manage your list of vendors to minimise risk. One of the fastest, simplest, and most efficient ways to tailor your vendor risk assessment, and stay ahead of assessment schedules, is through vendor risk management software. Automatic follow-ups, easy-to-access dashboards, and intuitive vendor questionnaire building tools make your third-party risk management a smoother operation. Take a look at SureCloud’s solution for more features.

About SureCloud

SureCloud is a provider of cloud-based, Integrated Risk Management (IRM) products, Cybersecurity, and Risk Advisory services, which reinvent the way you manage risk. SureCloud connects the dots with IRM solutions enabling you to make better decisions and achieve your desired business outcomes. SureCloud is underpinned by a highly configurable technology platform, which is simple, intuitive, and flexible. Unlike other GRC Platform providers, SureCloud is adaptable enough to fit your current business processes without forcing you to make concessions during implementation, meaning you get immediate and sustained value from the outset.