Third-Party Vendor Risk Assessment for SMBs: The Practical Template

SMBs can manage third-party vendor risk without enterprise TPRM software by maintaining a spreadsheet inventory of all vendors, scoring each by data sensitivity and business criticality on a 1-to-4 scale, sending a focused six-question security questionnaire to the top-risk vendors, and setting up lightweight continuous monitoring through status pages, news alerts, and runtime supply-chain scanning.

Third-party vendor risk management (TPRM) is the category enterprises spend six figures on and small businesses ignore entirely. The gap is strange, because the attack surface is identical: every third-party service you use is a potential breach path, regardless of your company size. The difference is that enterprises staff a team and tool stack for it, and SMBs skip it. This template is what we actually use with BlackSight partner companies, stripped of the enterprise bloat, and usable in a spreadsheet by a single operator.

How do you build an honest vendor inventory?

Most SMBs underestimate their vendor count by half. A quick method: open your last three months of credit card statements, pull every SaaS line item. Open your company SSO provider and list every application. Open your web page in DevTools and list every external script domain. Cross-reference. You will typically end up with 40 to 90 vendors for a 20-person company, and most operators are surprised by the number.

For each vendor, capture: name, category, primary business purpose, internal owner, approximate annual spend, data types shared (none, PII, financial, health, etc.), and whether they have production access to any system. That is the entire base table.

How do you score vendors by risk?

Enterprise TPRM platforms use dozens of scoring dimensions. For an SMB, two is enough: data sensitivity (none / PII / financial or health / production access) and vendor criticality (if this vendor goes down, how bad is the hit). A 1 to 4 score on each gives you a 4x4 matrix. The top-right quadrant is where you focus: high-sensitivity data and high criticality. That is usually five to ten vendors, not all 80.

Typical top-right quadrant for a 20-person SMB: payment processor, HR/payroll platform, email and calendar provider, password manager, cloud infrastructure, customer data platform. Everything else gets lighter treatment.

What questionnaire works at SMB scale?

Enterprise TPRM questionnaires run hundreds of questions. For SMB use, six questions cover 80 percent of the real risk signal. First: do you have a SOC 2 Type II, ISO 27001, or equivalent third-party audit, and can we see the latest report. Second: what is your breach-notification SLA and have you ever invoked it. Third: who has access to our data in your systems, and how is that access controlled. Fourth: do you subprocess our data to other vendors — if yes, list them. Fifth: what is your incident response process and who is the contact. Sixth: what data is retained after we terminate, and how is deletion verified.

For your top-quadrant vendors, insist on answers in writing. For mid-tier vendors, public documentation usually covers it. For low-risk vendors, the questionnaire is optional — an inventory entry is sufficient.

What does continuous monitoring mean in practice?

A questionnaire captures a snapshot. The vendor was fine the day they answered. The question is what happens six months later when they have a breach, a key employee leaves, their subprocessor changes, or they deprecate a feature you depend on. Enterprise TPRM platforms sell continuous monitoring as their main value. For SMB use, three lightweight habits cover most of it.

Subscribe to status pages and security-mailing-list updates for every top-quadrant vendor. Set up Google News alerts for each vendor name plus "breach" or "incident." Once a quarter, re-run the lightweight questionnaire — even just "has anything changed since last time." That last one finds 80 percent of real risk changes and takes an afternoon.

For the web-facing side specifically, tooling like BlackSight's supply-chain scanner watches the scripts vendors load on your site and catches compromise events faster than status-page subscriptions do. That covers the specific failure mode where a vendor's compromise becomes your outage without them yet knowing.

What columns go in the spreadsheet?

Columns that matter: vendor name, category, internal owner, annual spend, data sensitivity score (1-4), criticality score (1-4), combined risk tier (top-quadrant, mid, low), last questionnaire date, next review date, SOC 2 or equivalent on file (Y/N/link), contract renewal date, deletion-on-termination confirmed (Y/N), monitoring method (status page, news alert, runtime scanner, none). Add a notes column for anything that does not fit elsewhere.

Fourteen columns. Filterable by tier. You can maintain it in Google Sheets or Notion, you do not need a TPRM platform.

When should you graduate to actual TPRM software?

Three triggers. When you have more than 15 top-quadrant vendors and the spreadsheet becomes genuinely painful to maintain. When a customer or regulator requires evidence of a documented TPRM program with audit trail (SOC 2 Type II under TSP-05 carve-outs, for example). When you hire a dedicated security or compliance person whose job is to run the program. Until then, a spreadsheet and an hour a month is more than most SMBs do and more than 80 percent of what enterprise platforms deliver.