Third-party vendor risk management (TPRM) is the category enterprises spend six figures on and small businesses ignore entirely. The gap is strange, because the attack surface is identical: every third-party service you use is a potential breach path, regardless of your company size. The difference is that enterprises staff a team and tool stack for it, and SMBs skip it. This template is what we actually use with BlackSight partner companies, stripped of the enterprise bloat, and usable in a spreadsheet by a single operator.

Start with an honest vendor inventory

Most SMBs underestimate their vendor count by half. A quick method: open your last three months of credit card statements, pull every SaaS line item. Open your company SSO provider and list every application. Open your web page in DevTools and list every external script domain. Cross-reference. You will typically end up with 40 to 90 vendors for a 20-person company, and most operators are surprised by the number.

For each vendor, capture: name, category, primary business purpose, internal owner, approximate annual spend, data types shared (none, PII, financial, health, etc.), and whether they have production access to any system. That is the entire base table.

Score vendors by two simple axes

Enterprise TPRM platforms use dozens of scoring dimensions. For an SMB, two is enough: data sensitivity (none / PII / financial or health / production access) and vendor criticality (if this vendor goes down, how bad is the hit). A 1 to 4 score on each gives you a 4x4 matrix. The top-right quadrant is where you focus: high-sensitivity data and high criticality. That is usually five to ten vendors, not all 80.

Typical top-right quadrant for a 20-person SMB: payment processor, HR/payroll platform, email and calendar provider, password manager, cloud infrastructure, customer data platform. Everything else gets lighter treatment.

The questionnaire that works at this scale

Enterprise TPRM questionnaires run hundreds of questions. For SMB use, six questions cover 80 percent of the real risk signal. First: do you have a SOC 2 Type II, ISO 27001, or equivalent third-party audit, and can we see the latest report. Second: what is your breach-notification SLA and have you ever invoked it. Third: who has access to our data in your systems, and how is that access controlled. Fourth: do you subprocess our data to other vendors — if yes, list them. Fifth: what is your incident response process and who is the contact. Sixth: what data is retained after we terminate, and how is deletion verified.

For your top-quadrant vendors, insist on answers in writing. For mid-tier vendors, public documentation usually covers it. For low-risk vendors, the questionnaire is optional — an inventory entry is sufficient.

What continuous monitoring means in practice

A questionnaire captures a snapshot. The vendor was fine the day they answered. The question is what happens six months later when they have a breach, a key employee leaves, their subprocessor changes, or they deprecate a feature you depend on. Enterprise TPRM platforms sell continuous monitoring as their main value. For SMB use, three lightweight habits cover most of it.

Subscribe to status pages and security-mailing-list updates for every top-quadrant vendor. Set up Google News alerts for each vendor name plus "breach" or "incident." Once a quarter, re-run the lightweight questionnaire — even just "has anything changed since last time." That last one finds 80 percent of real risk changes and takes an afternoon.

For the web-facing side specifically, tooling like BlackSight's supply-chain scanner watches the scripts vendors load on your site and catches compromise events faster than status-page subscriptions do. That covers the specific failure mode where a vendor's compromise becomes your outage without them yet knowing.

What to actually put in the spreadsheet

Columns that matter: vendor name, category, internal owner, annual spend, data sensitivity score (1-4), criticality score (1-4), combined risk tier (top-quadrant, mid, low), last questionnaire date, next review date, SOC 2 or equivalent on file (Y/N/link), contract renewal date, deletion-on-termination confirmed (Y/N), monitoring method (status page, news alert, runtime scanner, none). Add a notes column for anything that does not fit elsewhere.

Fourteen columns. Filterable by tier. You can maintain it in Google Sheets or Notion, you do not need a TPRM platform.

When to graduate to actual TPRM software

Three triggers. When you have more than 15 top-quadrant vendors and the spreadsheet becomes genuinely painful to maintain. When a customer or regulator requires evidence of a documented TPRM program with audit trail (SOC 2 Type II under TSP-05 carve-outs, for example). When you hire a dedicated security or compliance person whose job is to run the program. Until then, a spreadsheet and an hour a month is more than most SMBs do and more than 80 percent of what enterprise platforms deliver.