Measure supplier exposure securely before onboarding and renewals. Tune weights, add safeguards, and export reports. Turn assessments into actions for stronger third‑party resilience today.
Use 0 (lowest) to 5 (highest). Higher exposure means more third‑party cyber risk and oversight effort.
| Supplier | Service | Sensitivity | Access | Connectivity | Criticality | Maturity | Score | Tier |
|---|---|---|---|---|---|---|---|---|
| Acme Payments | Payments | 5 | 4 | 4 | 5 | 2 | 82.4 | Critical |
| Northwind SaaS | SaaS | 3 | 3 | 2 | 3 | 3 | 54.2 | High |
| BlueSky Logistics | Logistics | 2 | 1 | 1 | 2 | 4 | 24.6 | Low |
Table values are illustrative and show how different exposure drivers influence risk tiers.
Each driver is scored from 0 (lowest) to 5 (highest). Control maturity reduces exposure and is inverted.
Score = 20 × (0.18×Sensitivity + 0.16×Access + 0.12×Connectivity + 0.14×Criticality + 0.10×Incident + 0.10×Geo + 0.08×Concentration + 0.12×(5−Maturity))
Third parties now deliver identity, hosting, payments, and support at scale. That shifts risk outside your perimeter while keeping accountability inside your organization. A structured exposure score creates a common language for security, legal, and procurement, enabling faster decisions and defensible records. It reduces bias by anchoring discussions to measurable inputs and evidence. Over time, scoring reveals which supplier categories create the most exposure and where improvements deliver the largest reductions.
Exposure rises when suppliers handle regulated data, access production systems, or operate persistent integrations such as APIs, agents, or VPN links. Privileged access, token issuance, and administrator tooling magnify blast radius. Business criticality increases urgency because disruption can stop revenue, fulfillment, or customer support. Geography and regulatory environments affect reporting timelines, cross‑border transfer requirements, and enforcement likelihood after incidents. Concentration risk matters when few suppliers provide hard‑to‑replace capabilities.
The calculator weights sensitivity and access heavily because they correlate with impact severity. Connectivity and criticality add operational exposure, while incident history reflects proven weaknesses and response gaps. Control maturity is inverted so mature programs reduce exposure; it represents how reliably a supplier prevents, detects, and contains threats. Evidence can include independent audits, secure SDLC practices, patch SLAs, continuous logging, endpoint hardening, and tabletop exercises. Consistent evidence standards keep ratings comparable across teams.
Risk tiers translate numbers into action. Low and moderate tiers can follow baseline due diligence, renewal checks, and scoped access with periodic reassessment. High tier suppliers should trigger deeper evidence reviews, targeted remediation plans, and increased monitoring of authentication, data flows, and vulnerability exposure. Critical tier suppliers require executive approval, least‑privilege enforcement, continuous assurance signals, and strict contractual requirements. Useful clauses include breach notification windows, right-to-audit language, subcontractor disclosure, and limits on data reuse.
Pair the exposure score with operational metrics to sustain governance. Track the share of high or critical suppliers that meet MFA, encryption, and logging requirements, plus the age of evidence. Monitor remediation cycle time for critical findings, and measure changes after scope expansions or new integrations. Integrate thresholds into onboarding gates and renewal workflows so exceptions are approved. Use exports to populate registers, support quarterly reviews, and demonstrate oversight to auditors and key stakeholders.
It estimates potential cyber impact from a supplier relationship using weighted drivers such as data sensitivity, access, connectivity, and maturity. Higher scores indicate greater oversight, control requirements, and monitoring needs.
Maturity reflects how well the supplier prevents, detects, and responds to threats. Stronger maturity reduces exposure, so the calculator uses (5 − maturity) to decrease the score when maturity is higher.
Define short rating criteria for each driver and rely on evidence: network diagrams, access lists, audit reports, SLAs, and test results. Use calibration sessions to align scorers across procurement, IT, and security.
No. Safeguards reduce risk but do not eliminate it. They are modeled as small score reductions to reflect stronger protection, while core drivers and maturity still determine overall exposure.
Rescore on onboarding, renewal, major scope changes, new data types, new integrations, incidents, or subcontractor additions. Periodic rescoring (quarterly for critical, annually for others) improves risk accuracy.
CSV supports registers, dashboards, and review workflows. PDF is useful for stakeholder approvals, vendor meetings, and audit evidence. Store exports with the decision record and the supporting evidence artifacts.
Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.