Vendor Due Diligence Calculator

Compare vendors with evidence-based cyber risk scoring. Tune weights, document controls, and flag critical gaps. Download reports, share findings, and approve with confidence today.

Ready when you are. Fill the form, submit, then export results for procurement and audits.

Vendor Due Diligence Inputs

Use the sliders to tune scoring emphasis per program needs.

Vendor Name

Assessor

Assessment Date

Service Description

Keep it short; export includes it for context.

Hosting Model

Hosting influences baseline exposure.

Regions of Processing

Hold Ctrl/Command to select multiple.

Uses Subcontractors

Subprocessors may add oversight needs.

Data Sensitivity

Access Level

Service Criticality

Assurance & Compliance

SOC 2 Report

ISO 27001 Certified

GDPR Readiness

PCI Applicable Attestation

HIPAA Alignment

Security Controls

Encryption In Transit

Encryption At Rest

MFA for Admin Access

SSO (SAML/OIDC) Support

Vulnerability Scanning

Pen Test in Last 12 Months

Centralized Logging

SIEM Integration

Patch SLA (days)

Lower is better. Use 0 if unknown.

Resilience & Continuity

Incident Response Plan

IR Tested (tabletop/DR)

Disaster Recovery Tested

Backup Frequency

RTO (hours)

Recovery time objective.

RPO (hours)

Recovery point objective.

Vendor Hygiene

Breach History

Breach Recency

Only used when breach history is Yes.

Data Retention (days)

Shorter retention often reduces exposure. Use 0 if unknown.

Weighting Controls (percent)

Adjust emphasis by program maturity and risk appetite.

Exposure Weight25%

If totals differ, weights are normalized.

Compliance Weight15%

If totals differ, weights are normalized.

Controls Weight30%

If totals differ, weights are normalized.

Resilience Weight20%

If totals differ, weights are normalized.

Hygiene Weight10%

If totals differ, weights are normalized.

Reset Results appear above the form after submission.

Formula Used

This tool computes a Security Score as a weighted average of five domains: Exposure, Compliance, Controls, Resilience, and Hygiene.

Domain scores are scaled to 0–100, where higher is better.
Weights are normalized to total 100% if needed.
Security Score = Σ( domain_score × domain_weight / 100 ).
Risk Score = 100 − Security Score.

Risk levels are mapped from Risk Score: ≤20 Low, ≤40 Moderate, ≤60 High, ≤80 Very High, otherwise Critical.

How to Use This Calculator

Enter vendor details and a short service description.
Rate data sensitivity, access level, and criticality honestly.
Select assurance and security control evidence provided.
Fill resilience inputs, including RTO and RPO targets.
Tune weights to match your governance priorities.
Click Submit Assessment to generate scores and actions.
Download CSV or PDF for procurement or audit artifacts.

Example Data Table

Sample vendor assessments to demonstrate typical outputs.

Vendor	Service	Security Score	Risk Level	Primary Gap
Acme Cloud	Ticketing SaaS	78.20	Moderate	IR testing evidence missing
Northwind Data	Analytics Processor	61.45	High	No SSO, slow patch SLA
Contoso Payments	Payment Gateway	52.10	High	Recent breach, DR untested

FAQs

1) What does this calculator actually measure?

It estimates vendor cyber risk by scoring exposure, assurance, controls, resilience, and hygiene. Higher security scores indicate stronger posture given the evidence you selected and the weights you apply.

2) Are weights required to add up to 100?

Not strictly. If the total differs from 100, the tool automatically normalizes weights proportionally. This preserves your intended emphasis while keeping the scoring math consistent.

3) How should I rate data sensitivity and access level?

Use sensitivity for the most confidential data handled. Use access level for the highest privilege the vendor receives, including admin, API, or production access. Higher ratings reduce the exposure score.

4) Why does breach history affect the score?

A recent breach can signal control gaps or higher inherent risk. The tool lowers the hygiene score more for breaches within 24 months, prompting deeper RCA review and stronger contractual safeguards.

5) Can I use this for SOC 2 or ISO evidence tracking?

Yes. You can mark attestations in the assurance section and export results. For formal programs, attach report dates, scope, and exceptions separately within your procurement workflow.

6) What should I do when risk is High or above?

Require a remediation plan with deadlines, validate encryption and MFA, request IR and DR testing proof, and add audit and incident-notification clauses. Escalate approvals for Very High or Critical results.

7) Does the PDF include all inputs?

The PDF includes key vendor details, overall scores, domain breakdown, and recommendations. The CSV export contains the full set of inputs and normalized weights for easy recordkeeping.

8) Is this a substitute for a full questionnaire?

No. It is a structured scoring aid. Use it to standardize comparisons, prioritize follow-ups, and document decisions. For high-impact vendors, combine it with questionnaires, evidence review, and security testing.

Related Calculators

Vendor Risk Score Third Party Risk Supplier Security Risk Third Party Exposure Vendor Breach Impact Vendor Risk Rating Supplier Risk Index Vendor Compliance Score Third Party Vulnerability Vendor Security Posture

Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.