Most organisations have more IT vendor relationships than they can effectively govern. Here is how to build a vendor management programme that actually protects you.
The Vendor Inventory Problem
Most IT organisations cannot produce a complete list of their technology vendors on demand. SaaS tools purchased by departments without IT involvement — shadow IT — are not in the vendor register. Tools purchased by IT two CIOs ago are still being renewed automatically without anyone evaluating whether they are still necessary or whether the contract terms are still acceptable. Before you can manage vendors, you need to know who they are. A vendor discovery exercise — auditing AP records, credit card statements, and Active Directory SSO integrations — typically reveals 30-50% more vendors than IT knew existed.
Risk Tiering Vendors
Not all vendor relationships carry the same risk. Tier vendors by their access to your data and systems. Tier 1 (Critical): vendors who access regulated data (customer PII, PHI, CDE) or who have privileged access to your infrastructure — require annual security assessment, penetration test evidence, and contractual data processing terms. Tier 2 (High): vendors who access sensitive internal data or provide critical operational services — require SOC 2 or ISO 27001 certification evidence at annual renewal. Tier 3 (Standard): productivity tools with no regulated data access — standard contract review and annual verification of active use.
Contract Hygiene That Protects You
Three contract provisions that most IT vendor agreements are missing: data breach notification SLAs (the vendor must notify you within a specific timeframe after discovering a breach, not 'without unreasonable delay'); sub-processor disclosure (you have the right to a list of who else processes your data on the vendor's behalf); and right to audit (the right to request a SOC 2 report or third-party security assessment annually). These provisions are standard in GDPR-compliant agreements and increasingly standard in US enterprise contracts — vendors who resist them are a signal.
Offboarding That Actually Removes Access
Vendor offboarding is the most consistently neglected part of vendor management. When a vendor relationship ends, access to your systems must be revoked, data must be returned or destroyed per the contract terms, and credentials must be rotated for any shared access. ISO 27001 and SOC 2 both require documented vendor offboarding procedures. In practice, most organisations have no offboarding checklist and former vendor accounts remain active for months after contract termination. Automate offboarding reminders in your vendor register with a 30-day and final-day notice for contract end dates.
- Vendor discovery (AP records, credit cards, SSO audits) typically reveals 30-50% more vendors than IT knew existed
- Tier vendors by data access and system privilege — tier assignment determines the depth of annual security review
- Require data breach notification SLAs, sub-processor disclosure, and right-to-audit clauses in all Tier 1 and Tier 2 agreements
- Vendor offboarding must include access revocation, data disposition, and credential rotation — document and automate the checklist