Vendor Compliance Score Calculator

Assessment Inputs

Use consistent scoring for questionnaires, evidence reviews, and audits. Adjust weights and penalties to match your risk model.

Vendor name

Used in exports and history.

Assessment date

Default is today.

Security controls implemented (%)

Technical + administrative controls coverage.

Policy & procedure coverage (%)

Written governance and enforcement.

Vulnerability management maturity (%)

Scanning, patch SLAs, remediation proof.

Incident response readiness (%)

Tabletops, playbooks, on-call, reporting.

Data protection (encryption, DLP) (%)

At rest, in transit, key management.

Access management (IAM, MFA) (%)

Least privilege and identity hygiene.

Logging & monitoring (%)

Alerting, retention, SIEM integration.

Business continuity & disaster recovery (%)

Backups, RTO/RPO testing, resilience.

Privacy & regulatory readiness (%)

Data mapping, DPIA, retention, requests.

Subprocessor / fourth-party controls (%)

Due diligence, notifications, flow-downs.

Security SLAs & commitments (%)

Breach notice, patch windows, support.

Response speed (MTTR score %)

Higher means faster resolution.

Critical audit findings (count)

Each adds a configurable penalty.

High audit findings (count)

Counts for additional penalties.

Days since last independent audit

Older audits reduce trust.

Oldest open issue age (days)

Long-open issues increase penalties.

Assurance evidence (check all that apply)

ISO 27001

SOC 2

Recent pentest report

SIG / security questionnaire

Evidence adds a small capped bonus.

Advanced Settings

Tune weights, penalties, and risk tiers. Weight totals are normalized automatically.

Penalty per critical finding

Penalty per high finding

Maximum total penalty (cap)

Audit grace days

Penalty per audit-age day beyond grace

Open-issues grace days

Penalty per open-issue day beyond grace

Tier threshold: Low risk (≥)

Tier threshold: Moderate risk (≥)

Tier threshold: High risk (≥)

Weights (normalized)

Defaults are tuned for common vendor risk reviews.

Security controls

Policy coverage

Vulnerability mgmt

Incident response

Data protection

Access mgmt

Logging/monitoring

BC/DR

Privacy

Subprocessors

Security SLAs

MTTR score

New assessment

Example Data Table

Vendor	Controls %	Vuln Mgmt %	IR %	Audit Age (days)	Critical	Score	Tier
CloudCRM Ltd	86	78	74	120	0	82.3	Moderate
PayrollPro	92	88	85	60	0	90.1	Low
AnalyticsBox	71	62	58	430	2	44.7	Critical

These rows illustrate how higher audit findings and older audits can reduce scores.

Formula Used

This calculator produces a 0–100 score using a weighted model with assurance bonuses and risk penalties.

Base score: weighted average of input domains, normalized by total weight.
Bonus: small capped uplift for independent evidence (e.g., ISO 27001, SOC 2).
Penalty: capped deductions for audit findings, audit age, and aging open issues.

Base = Σ(domain% × weight) / Σ(weight)

Score = clamp(Base + Bonus − Penalty, 0, 100)

Tier by thresholds: Low ≥ t_low, Moderate ≥ t_med, High ≥ t_high, else Critical

How to Use This Calculator

Collect vendor evidence: questionnaires, audit reports, and remediation status.
Enter domain percentages based on your review rubric.
Add findings, audit age, and open-issue age to reflect risk.
Adjust weights to match your data sensitivity and impact.
Press Submit to see results above the form.
Export history as CSV or PDF for procurement records.

Downloads

Exports include your recent assessment history (up to 50 rows).

Current Tier Guide

Low: strong assurance and low residual risk.
Moderate: acceptable with tracked improvements.
High: significant gaps; restrict scope.
Critical: avoid or remediate before onboarding.

Recent History

No calculations yet. Submit the form to build history.