Skip to content
Log in

Vendor tiering

Definition

The classification of vendors into risk tiers, typically Tier 1 (critical), Tier 2 (significant), and Tier 3 (low), based on factors such as the sensitivity of data shared, the depth of system integration, the regulatory obligations triggered, and the business impact of vendor failure. Tier assignment drives due diligence depth, contractual requirements, and reassessment frequency.

Related terms

Due diligence questionnaire (DDQ)
A structured questionnaire sent to a prospective vendor before onboarding, asking the vendor to describe its security controls, certifications, incident history, subprocessor...
Offboarding controls
The set of actions taken when a vendor relationship ends: revoking access credentials, recovering or destroying shared data, terminating network connectivity, and...
Right-to-audit clause
A contractual provision that gives the organisation the right to audit or assess the vendor's security controls, either directly or through a...
Subprocessor
A third party engaged by a vendor (the processor) to perform part of the service that involves the organisation's data. Under GDPR...
Third-party risk
The information security, operational, legal, or reputational risk introduced to an organisation by its relationships with external parties including vendors, suppliers, cloud...

Explained in

  • Third-Party Risk Management ProgrammeThe classification of vendors into risk tiers, typically Tier 1 (critical), Tier 2 (significant), and Tier 3 (low), based on factors such as the sensitivity of...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account