Vendor risk management

Risk Identification & Assessment

Supply chains are complex, organic networks of relationships that grow extensively over time. Businesses need to be able to answer the following questions:

  • Do you know who is in your end-to-end supply chain?
  • What is the overall risk in your supply chain, and where is it concentrated?
  • Do you know how Vendors use or send your data?
  • Are you confident in the maturity of their own security?
  • What actions should you be asking the weaker vendors to take?
  • How would you defend your position, if a vendor was breached?

The assessment of different vendors needs to be proportionate to the risk they represent, but the judgements need to be consistent and comparable from both an individual vendor and an aggregated view. Likewise treatment requires a holistic approach, from tolerating low risk , placing remediation actions on a vendor to terminating a commercial relationship as a last resort.

OSINT overview and risk indicators C2 Cyber Ltd

These are labour intensive, specialist activities with which C2 can help:

  • Defining VRM risk processes and workflows
  • VRM program maturity assessment
  • Developing the business case for VRM
  • Identifying must have risk outcomes
  • Developing an Integrated VRM model
  • Full VRM model implementation or supplementary support for in house assessment processes

Risk Remediation & Mitigation

C2’s heritage is as a fully fledged cyber security company, equipped with all the experience and expertise required to provide the full breadth of solutions. Our services range from risk definition and board advisory, through to the implementation of efficient controls and defences that don’t interrupt the business. We focus on delivering the outcomes that the business needs, and to leave our clients confident that they can manage the capability they have acquired. 

  • Risk assessment
  • Data discovery 
  • Security strategy, roadmap and programme development
  • People roles and responsibilities
  • Awareness and training
  • Designing and building security operations for detection and response
  • Security sourcing strategy, RFP development and procurement support
  • Compliance to ISO 27000 standards

Risk Analysis & Evaluation

Customers have relied on homegrown, manual or quasi-automated systems to analyse and evaluate vendor risks. Increased outsourcing, cloud computing adoption, digital transformation, regulatory requirements and growing risks mean that these methods are no longer sustainable or scaleable.

Vendor and third-party risks demand a complex set of assessment approaches, processes and workflows that cross organisational boundaries.  Conventional, highly customised applications struggle to perform and deliver against their intended use cases. Maintaining the visibility, consistency and security of sensitive data sources and the integrity of the data itself is unscalable when relying on traditional spreadsheets, documents and emails.

These problems demand a fresh approach.

C2 Cyber’s solution is to assess risk from multiple different perspectives that challenge and validate each other to provide the most proportionate and comprehensive answer. In addition, we blend expert judgment and technological automation.”

Services that only look at a vendor’s external vulnerabilities do not provide a reliable indication of the security inside a business. Others that rely on surveys and self-assessments can be onerous on the vendor and assume questions are answered correctly.

“In addition, We blend expert judgement and technological automation.”

Issues will be missed by entirely technology based solutions that lack the human in the loop to interpret, challenge and apply judgment. Consultancy based solutions are not only inefficient but over time lead to inconsistent conclusions. They will also only present an assessment of the risk at a moment in time while the risks themselves evolve and change.

Our service blends technology informed by years of knowledge, with the judgement and intervention of our expert analysts.

We look at a vendor from four different perspectives



This determines inherent risk, with attributes such as the data types exchanged, services delivered, volume and criticality.


OSINT Indicators

Exploiting available data on the internet (eg. DNS record configurations, SIC codes, domain reputation and news feeds) continuously monitors indicators of risk.



Vendor responses to questionnaires tailored to the context and risk give a richer, more complete and self-certified picture of vulnerabilities.



Reviews of evidence, site visits and audits enable an analyst to validate controls when required.

Book a free demo now!

__CONFIG_local_colors__{"colors":{"8b2fd":"Snuff","edb1a":"White Lilac","83d40":"Ship Cove","20090":"Scampi","4f35b":"Rose White","b98f0":"Turquoise","772bd":"Turquoise"},"gradients":{}}__CONFIG_local_colors__