The process of evaluating a third-party vendor's security posture (often via their SOC 2 report or a questionnaire) before and during the relationship.
A vendor risk assessment reviews what data a vendor will touch, what compliance artifacts they can produce (SOC 2 report, ISO certificate, questionnaire responses), and any exceptions or gaps noted in those artifacts. Vendors are typically tiered by risk (based on data sensitivity and access) and reassessed on a cadence tied to that tier.
Looking for another term or the full list?