Know vendor exposure before sharing sensitive access. Prioritize audits, contracts, and technical safeguards fast now. Measure, document, and improve third-party security with confidence today.
Each factor is scored from 0 to 5. A weighted risk contribution is computed as:
BaseScore = 100 × Σ( weightᵢ × normalizedRiskᵢ )
Protective factors (maturity, compliance, financial stability) are inverted so higher maturity lowers risk. Then key controls add small modifiers (±2 to ±4 points) and the final score is clamped to 0–100.
Tiers: 0–24 Low, 25–49 Medium, 50–74 High, 75–100 Critical.
| Supplier | Service | Criticality | Data | Access | Connectivity | Maturity | Controls (MFA/Enc/Log) | Score | Tier |
|---|---|---|---|---|---|---|---|---|---|
| CloudHostCo | Cloud hosting | 5 | 4 | 3 | 4 | 4 | Yes / Yes / Yes | 56.3 | High |
| SupportDesk Ltd | Customer support | 3 | 3 | 2 | 2 | 3 | Yes / Yes / No | 41.8 | Medium |
| AnalyticsX | Data analytics | 2 | 2 | 1 | 2 | 4 | Yes / Yes / Yes | 22.6 | Low |
Supplier relationships expand your attack surface beyond the perimeter. This calculator converts vendor review notes into a consistent 0–100 score using business criticality, data sensitivity, access level, and connectivity. Treat these inputs as blast-radius indicators: privileged access and deep integrations increase the chance a supplier incident becomes yours. Add subcontractor dependence, geographic risk, and financial stability to capture supply-chain complexity and operational resilience.
The model uses weights to mirror common third‑party risk drivers. Criticality and data sensitivity are weighted higher because they influence recovery cost, downtime tolerance, and regulatory exposure. Connectivity and access represent likelihood by measuring reachable paths and standing privileges. Normalizing every factor on a 0–5 scale supports side‑by‑side comparisons across suppliers and service types. Apply one rubric enterprise‑wide to reduce scoring drift.
Security maturity, compliance posture, and financial stability are protective factors, so higher values reduce risk contribution. Key controls then add practical modifiers: enforced MFA, encryption, monitored logging, vulnerability management, incident response playbooks, and tested recovery lower the score; missing controls raise it. Mark a control as present only with evidence, such as SOC reports, penetration summaries, patch SLAs, configuration screenshots, and tabletop results. Store references in the notes field for repeatable audits and faster revalidation.
Use the tiered outputs to standardize governance actions. Low and Medium tiers fit routine annual reviews, least‑privilege access, and renewal checks. High tier suppliers should trigger focused assessments, tighter contract clauses, shorter remediation deadlines, and additional monitoring. Critical tier results warrant executive visibility, temporary access restrictions, and explicit risk acceptance if remediation is delayed. Link timelines to exposure: patch and MFA gaps may require 30 days, while logging gaps may need 14 days and access scoping can be immediate.
Supplier risk changes with scope, integrations, mergers, and incident trends. Recalculate after onboarding, major feature releases, new data types, or confirmed security events. Track score deltas to quantify remediation impact and to prioritize enablement investments. Periodically review the weights against your threat model and audit expectations so scoring stays aligned with real loss drivers. Pair this score with ongoing signals like threat intelligence, uptime metrics, vulnerability disclosures, and contract performance to catch drift early.
It estimates supplier cybersecurity exposure on a 0–100 scale. Higher scores indicate greater combined impact, likelihood, and control gaps based on your inputs and evidence.
Use documented criteria. Rate the most sensitive data handled, the highest access granted, and the strongest integration. Keep ratings stable across departments to improve comparability.
Security maturity, compliance posture, and financial stability are protective. Higher values mean stronger governance and resilience, so the model inverts them to reduce risk contribution.
Yes. Edit the weight array in the code to reflect your threat model and audit expectations. Revalidate with historical incidents to ensure the scoring matches real losses.
Prefer independent and recent artifacts: SOC reports, ISO certificates, pen-test summaries, patch SLAs, and incident response test results. Avoid self-attestation without supporting documentation.
Recalculate after onboarding, scope changes, new integrations, new data types, or reported incidents. At minimum, review critical suppliers quarterly and others annually.
Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.