Name: Vendor Risk Scoring
Author: mukul975

スキルを検索.../

Vendor Risk Scoring | Skills Pool

Score	Criterion	Description
1	Pseudonymized non-sensitive data only	Minimal identifiability
2	Non-sensitive personal data (names, email)	Standard personal data
3	Behavioral data, location data, financial identifiers	Elevated sensitivity
4	Government IDs, precise geolocation, communications content	High sensitivity
5	Special category data (Art. 9) or criminal convictions (Art. 10)	Maximum sensitivity

Score	Criterion	Description
1	Processing exclusively within EEA	No transfer risk
2	Processing in EEA + adequacy decision countries	Minimal transfer risk
3	Processing includes non-adequate countries with robust SCCs and supplementary measures	Managed transfer risk
4	Processing in jurisdictions with government surveillance concerns (per EDPB assessments)	Elevated transfer risk
5	Processing in jurisdictions lacking rule of law / no valid transfer mechanism	Maximum transfer risk

Score	Criterion	Description
1	ISO 27001 + ISO 27701 + SOC 2 Type II + sector-specific cert	Comprehensive certification
2	ISO 27001 + SOC 2 Type II (or equivalent combination)	Strong certification
3	ISO 27001 only or SOC 2 Type II only	Moderate certification
4	Self-assessment or CSA STAR Level 1 only	Limited certification
5	No recognized certifications or attestations	No certification

Score	Criterion	Description
1	No breaches, no enforcement actions in past 5 years	Clean record
2	Minor incident(s) with prompt notification and remediation	Low incident history
3	One significant breach with adequate response	Moderate history
4	Multiple breaches or one enforcement action	Elevated history
5	Major enforcement action or pattern of breach non-compliance	High-risk history

Score	Criterion	Description
1	Optimized — continuous improvement, metrics-driven, automated controls	Industry leading
2	Managed — controls measured and monitored, regular testing	Mature program
3	Defined — documented policies and procedures, periodic testing	Established program
4	Developing — basic controls in place, gaps in documentation	Emerging program
5	Initial — ad hoc controls, minimal documentation	Immature program

Score	Criterion	Description
1	No discretion — purely technical processing per exact instructions	Minimal autonomy
2	Limited discretion — predefined processing options	Low autonomy
3	Moderate discretion — processor selects technical means	Standard autonomy
4	Significant discretion — processor defines processing logic	Elevated autonomy
5	High discretion — processor approaches controller boundary	Maximum autonomy

Weighted Risk Score = Σ (Dimension Score × Dimension Weight)

Weighted Risk Score = (D1 × 0.15) + (D2 × 0.25) + (D3 × 0.15) + (D4 × 0.15)
                    + (D5 × 0.10) + (D6 × 0.10) + (D7 × 0.10)

Tier	Score Range	Label	Oversight Level
Tier 1	3.5 – 5.0	High Risk	Maximum oversight: annual on-site audit, quarterly monitoring, full due diligence refresh annually
Tier 2	2.5 – 3.4	Standard Risk	Standard oversight: annual remote audit, semi-annual monitoring, due diligence refresh biennially
Tier 3	1.0 – 2.4	Low Risk	Minimum oversight: biennial documentation audit, annual monitoring, due diligence refresh triennially

Activity	Tier 1 (High)	Tier 2 (Standard)	Tier 3 (Low)
Due diligence refresh	Annual	Biennial	Triennial
Privacy audit	Annual (Type 2 or 3)	Annual (Type 1)	Biennial (Type 1)
Sub-processor review	Quarterly	Semi-annual	Annual
DPA review	Annual	Biennial	Triennial
Risk score recalculation	Semi-annual	Annual	Biennial
Continuous monitoring	Active monitoring	Periodic monitoring	Annual check

Trigger	Duration
Personal data breach at vendor	Until post-breach reassessment completed
Regulatory enforcement action	Until remediation verified
Certification lapse (> 30 days)	Until certification renewed
Material service change without prior notification	Until change assessed
Failed audit (Critical findings)	Until remediation verified

Metric	Description
Total vendors processing personal data	Count of active vendor DPAs
Vendors by tier	Distribution across Tier 1/2/3
Average risk score	Mean weighted score across all vendors
Trend	Quarter-over-quarter score movement
Overdue assessments	Vendors past their scheduled reassessment date
Open audit findings	Total by severity
Vendors with third-country transfers	Count and transfer mechanisms used

1	< 100 data subjects	Minimal volume processing
2	100 – 1,000 data subjects	Low volume
3	1,001 – 10,000 data subjects	Moderate volume
4	10,001 – 100,000 data subjects	High volume
5	> 100,000 data subjects	Very high volume

Vendor Risk Scoring

Vendor Privacy Risk Scoring

Overview

Risk Scoring Model

Scoring Dimensions

Vendor Risk Scoring

Vendor Privacy Risk Scoring

Overview

Risk Scoring Model

Scoring Dimensions

Risk Score Calculation

Risk Tier Assignment

Tier-Based Oversight Requirements

Scoring Adjustments

Escalation Triggers

De-escalation Criteria

Aggregated Vendor Risk Dashboard

Key Regulatory References

Llm Trading Agent Security

Energy Procurement

Council

Carrier Relationship Management

Market Research

Market Research