Build Your Own Third-Party & Vendor Risk Standard

​Your vendors are your biggest unmanaged risk — and auditors know it.

​Third-party and vendor risk is one of the top findings in SOC 2 audits, NIST CSF assessments, and ISO 27001 certifications. Most organizations have a vendor list and a questionnaire. That is not a vendor risk program.

​In this two-hour workshop, you will build one.

​What you'll build: — A vendor risk tiering model (critical, high, medium, low) based on actual risk — A risk-based assessment process that scales without overwhelming your team — A vendor onboarding checklist and ongoing monitoring process — An evidence package your auditor will accept across NIST, ISO 27001, and SOC 2 — A third-party incident response protocol

​What we cover: — How to classify vendors by actual risk — not just contract size — What assessments to run and how often — How to handle vendors who won't complete questionnaires — The exact controls auditors look for in third-party risk programs — How this maps across all three frameworks using Build Once, Map to All

​Who this is for: CISOs, GRC managers, and security professionals who need a defensible vendor risk program. Also ideal for AI startups whose enterprise clients are asking about supply chain security.

​Hosted by Meenu Chadha — founder of Cyber Advisory and fractional vCISO.