Framework for assessing IT service providers, technology vendors, and third-party partners. Creates structured risk assessments across financial, operational, compliance, security, and reputational dimensions with regulatory checklists (GDPR, DORA, NIS2, SOX). Use when: (1) Evaluating new vendors or technology providers, (2) Conducting third-party risk assessments for procurement, (3) Performing critical vendor due diligence for regulatory compliance, (4) Creating vendor onboarding documentation, (5) Establishing ongoing vendor monitoring processes, (6) Assessing vendor concentration risk, or (7) Generating executive-level vendor risk reports.
lawvable268 スター2026/02/12
職業
カテゴリ
営業・マーケティング
スキル内容
Overview
Comprehensive vendor assessment and due diligence framework for IT service providers, technology vendors, and third-party service providers. Creates structured risk assessments, evaluation reports, and ongoing monitoring frameworks across financial, operational, compliance, security, and reputational dimensions.
LEGAL DISCLAIMER
IMPORTANT: This skill provides general information and frameworks for vendor assessment purposes only. It does NOT constitute legal, financial, or professional advice. Users should:
Consult qualified legal counsel for specific legal requirements in their jurisdiction
Engage appropriate financial and security professionals for detailed assessments
Verify all regulatory requirements independently
Adapt all frameworks to their specific organizational needs and risk tolerance
Not rely on this skill as a substitute for professional due diligence services
The frameworks provided are templates only. Actual vendor assessments require expertise in law, finance, cybersecurity, and risk management. Neither the skill creator nor Claude/Anthropic assumes any liability for decisions made based on this skill's output.
関連 Skill
When to Use This Skill
Use this skill when you need to:
Evaluate new vendors, technology providers, or service partners
Conduct third-party risk assessments for procurement decisions
Perform critical vendor due diligence for regulatory compliance (DORA, NIS2, GDPR, SOX, etc.)
Create vendor onboarding documentation and assessment frameworks
Establish ongoing vendor monitoring and review processes
Assess vendor concentration risk and business continuity implications
Reputational Risk: Public perception, litigation history, ethical practices, ESG factors
Strategic Risk: Service criticality, exit/transition difficulty, vendor lock-in, innovation capability
Enhanced Feature: Weighted risk calculations based on service criticality. Critical services (payment processing, customer data systems) receive 2x weight on security and compliance factors.
3. Regulatory Compliance Checklists
Pre-built assessment templates for:
GDPR: Data processing agreements, sub-processor management, cross-border transfers, breach notification
Enhanced Feature: Regulatory gap analysis that identifies which requirements the vendor currently fails to meet and severity classification (blocker, major concern, minor gap, acceptable with mitigation).
4. Document Request Lists
Comprehensive documentation requirements organized by assessment phase:
Operations Managers: Service delivery, incident management, change control, capacity planning
Legal/Contracts: Negotiation flexibility, standard terms, liability frameworks
Enhanced Feature: Red flag detection prompts - specific questions designed to uncover hidden risks (e.g., "Describe your three most recent security incidents and response," "What percentage of revenue comes from your top 3 clients?")
6. Ongoing Monitoring Frameworks
Post-onboarding continuous oversight:
Quarterly Reviews: Performance metrics, security updates, compliance status, financial health
Annual Assessments: Full re-evaluation of risk scores, certification renewals, contract renegotiation
Enhanced Feature: Early warning indicators (EWIs) that trigger immediate re-assessment - bankruptcy filings, mass layoffs, major customer losses, data breaches, audit failures, regulatory fines.
Output Formats
Vendor Risk Report
Comprehensive assessment report including:
Executive summary with risk rating and recommendation
Replace professional due diligence services (legal, financial, technical audits)
Provide legal advice on specific contracts or regulatory requirements
Guarantee vendor performance or eliminate all risks
Substitute for organization-specific risk frameworks and policies
Fulfill regulatory obligations without expert validation
Create attorney-client, fiduciary, or advisory relationships
Users must:
Adapt all frameworks to their specific industry, jurisdiction, and risk tolerance
Engage qualified professionals for regulated assessments
Verify all regulatory requirements independently
Obtain necessary internal approvals before vendor engagement
Maintain documentation for audit and compliance purposes
Update assessment criteria as regulations and threats evolve
Regulatory Context
While this skill references common regulations (GDPR, DORA, NIS2, etc.), users must:
Verify current regulatory requirements in their jurisdiction
Consult legal counsel for compliance obligations
Not rely on this skill for legal interpretation
Understand that regulatory landscapes change constantly
Recognize that enforcement varies by regulator and jurisdiction
Last Updated Framework Version: January 2025 (Regulatory references may become outdated)
Example Use Cases
Financial Institution under DORA: Assessing cloud service provider for critical payment systems
Healthcare Organization: Evaluating SaaS vendor handling protected health information (HIPAA)
Manufacturing Company: Third-party risk assessment for industrial control system provider
E-commerce Platform: Payment processor due diligence under PCI DSS requirements
Government Agency: FedRAMP compliance assessment for cloud infrastructure provider
Startup: Rapid vendor screening for limited-risk, non-critical services
FINAL REMINDER: This is an educational framework and starting point only. Professional due diligence requires expertise in law, finance, cybersecurity, and risk management. Always engage qualified professionals for critical vendor assessments and do not rely solely on this skill for decision-making.