Third Party Compliance Calculator

Score vendor security posture using weighted, auditable inputs. Track evidence, access, and incidents across critical vendors. Export reports for governance teams and faster decisions.

Vendor Inputs
Use the form to score a third party and generate an exportable report.
Used in exports and audit logs.
Controls how inputs are weighted.
Adds modest credit for compensating controls.
5 means mission-critical.
5 means regulated or confidential data.
5 means privileged or production access.
Higher means mature, tested controls.
0 means no known incidents.
Audits, attestations, and policy evidence.
SLAs, right-to-audit, security clauses.
5 means complex cross-border constraints.
Signals, alerting, and verification frequency.
Higher count increases complexity.
Faster notification reduces operational risk.
Stored in-memory for this report only.
Example Data Table
Sample vendors to illustrate how scoring behaves.
Vendor Criticality Sensitivity Access Maturity Incidents Evidence Contract Geo/Reg Monitoring Subproc Notify Days
Acme Payments55441443447
Zen HR Tools332302323210
Northwind Support222231242614
Tip: Run each example through the form to compare tiers.
Formula Used
A weighted model converting risk inputs into compliance contributions.
  1. Normalize each input into a compliance contribution on 0..1. Risk-oriented inputs (criticality, sensitivity, access, geo risk, incidents) invert the scale so lower risk scores higher.
  2. Weighted compliance score:
    ComplianceScore01 = Σ( weightᵢ × contributionᵢ ) + adjustments
    ComplianceScore = round( ComplianceScore01 × 100 )
    ResidualRisk = 100 − ComplianceScore
  3. Adjustments:
    • Subprocessors apply a small penalty, capped at 8%.
    • Breach notification SLAs add a small boost or penalty.
    • Inherited internal controls add a modest boost when enabled.
  4. Tiering: Low Risk (≥85), Moderate (70–84), Elevated (55–69), High (<55), each with review cadence guidance.
This tool supports governance scoring, not a certification decision.
How to Use This Calculator
A practical workflow for third-party risk reviews.
  • Choose a profile that matches your program focus, or set custom weights.
  • Enter vendor inputs from questionnaires, audits, contracts, and monitoring.
  • Submit to view results above the form, including tier and cadence guidance.
  • Export a CSV for trackers or a PDF for review packets.
  • Reassess after material changes: scope, data types, access, or incidents.
Suggested scoring sources
Questionnaire responses, SOC reports, ISO certificates, pen test summaries, incident notifications, access reviews, and contract exhibits.
Program Insights
Data-driven guidance for vendor governance and consistent scoring.

Third-party exposure concentrates in a small vendor set

Most security programs find that 15–25% of vendors handle sensitive data or production access, yet these vendors drive the majority of third‑party risk. Use this calculator to flag that subset quickly by combining criticality, sensitivity, and access level into one consistent score.

A vendor rated 5 for criticality and sensitivity should rarely be reviewed less than quarterly unless evidence is exceptional.

Evidence quality changes faster than contracts

Audits and attestations often age out before renewal cycles. A practical benchmark is to refresh core evidence at least every 12 months for moderate tiers and every 6 months for elevated tiers. If evidence is missing or outdated, lower the “Compliance Evidence” input to reflect reduced assurance.

Evidence can include SOC reports, ISO certificates, pen test summaries, and policy excerpts with dates. Many teams track an evidence freshness target of ≤ 180 days for critical vendors.

Control maturity is the strongest long-run predictor

Programs that prioritize mature, tested controls typically see fewer high-impact vendor incidents. In this model, control maturity carries the largest weight in control-focused profiles, because it captures repeatable processes like secure SDLC, access reviews, logging, and vulnerability management.

When maturity is rated 1–2, prioritize remediation milestones and reassess the score after new evidence is produced.

Complexity multipliers raise residual risk

Subprocessors expand the attack surface and complicate incident coordination. The calculator applies a capped penalty to keep scoring stable while still reflecting rising dependency risk. Vendors with five or more subprocessors should maintain an up-to-date subprocessor list and flow-down requirements.

Monitor change events such as new hosting regions or subcontractor swaps. If monitoring strength is 1–2, increase review cadence and require continuous signals.

Operational SLAs translate directly into response speed

Breach notification timelines affect containment and regulatory reporting. A three-day notice earns a small boost; longer than fourteen days triggers a penalty. Pair the score with a remediation plan: tighten SLAs, reduce privileges, and add monitoring signals so reviewers can validate improvements over time.

Use the tier output to standardize governance: Low Risk annual, Moderate semiannual, Elevated quarterly, and High monthly until key actions are closed. Trend scores to show measurable reduction.

FAQs
Common questions about third-party compliance scoring.

What does the compliance score represent?

It is a weighted 0–100 indicator of vendor control strength, evidence quality, and contractual readiness after small adjustments for complexity and notification SLAs.

How should we choose a scoring profile?

Use Balanced for general programs. Choose control-focused when technical controls matter most, evidence-focused when audits drive assurance, and assurance-focused when attestations and incidents dominate decisioning.

Can we tailor weights to our risk appetite?

Yes. Select Custom Weights and set higher values for your most important drivers, such as access level or data sensitivity. The tool normalizes inputs so the weighting remains consistent.

How often should vendors be reassessed?

Follow the recommended cadence: annual for Low Risk, semiannual for Moderate, quarterly for Elevated, and monthly for High Risk until remediation actions are completed or scope changes stabilize.

What inputs matter most for high-impact vendors?

Criticality, sensitivity, privileged access, and control maturity typically drive outcomes. For top-tier vendors, keep evidence fresh, strengthen monitoring, and validate right-to-audit and breach notification clauses.

Is this a certification or pass/fail decision?

No. It supports governance by standardizing scoring and documenting rationale. Final decisions should include legal review, technical testing, and change-event monitoring aligned to your program requirements.

Notes on Responsible Use
Keep decisions traceable and defendable.
  • Use consistent scoring criteria across vendors to reduce bias.
  • Capture evidence dates; stale attestations should reduce scores.
  • Combine this score with technical testing and legal review.

Related Calculators

Vendor Risk ScoreThird Party RiskSupplier Security RiskVendor Breach ImpactVendor Risk RatingSupplier Risk IndexThird Party VulnerabilitySupplier Cyber RiskVendor Trust ScoreThird Party Maturity

Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.