> For the complete documentation index, see [llms.txt](https://wiki.songer.pro/interviewing/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://wiki.songer.pro/interviewing/security-domains-and-technical-aptitude/third-party-management/vendor-risk/vendor-risk-assessment-steps.md).

# Vendor Risk Assessment Steps

1. Identify the vendor: Determine who you are assessing and the purpose of the assessment.
2. Gather documentation: Request and review the vendor’s policies, procedures, and contracts.
3. Conduct interviews: Talk to vendor personnel and stakeholders to understand the vendor’s processes and risk management approaches.
4. Collect evidence: Gather evidence from the vendor’s systems to determine their security posture.
5. Assess risk: Analyze the evidence to identify risks and determine the vendor’s capability to manage them.
6. Report findings: Document the assessment results and provide recommendations for mitigating risk.
7. Monitor: Regularly monitor the vendor’s performance to ensure they are meeting the requirements.
