Read as
Why this module exists. Third-party and supply-chain risk is the single fastest-growing risk category in Indian enterprises. SolarWinds, Log4j, Okta, MOVEit, XZ Utils — every major breach pattern of the last five years has involved a trusted third party. This module covers the practical assessment framework: tiering vendors by risk, the right questionnaire depth, evidence collection, and continuous monitoring.
Why this module exists. The threat model has shifted. The hardest perimeter to defend now is your vendors’ perimeter. This module is the practitioner programme: how to tier, assess, monitor, and respond.
The tiering — start here
Not every vendor needs the same scrutiny. Categorise based on data sensitivity, access level, and operational dependency:
| Tier | Examples | Assessment depth |
|---|---|---|
| Tier 1 — Critical | Cloud (AWS, Azure), Payment processor, KMS provider, Core banking platform | SOC 2 Type II + on-site / virtual audit annually + contractual right to audit |
| Tier 2 — High | HR platform with PII access, identity provider, MDM, SIEM | SOC 2 Type II review + questionnaire + reference checks |
| Tier 3 — Medium | Marketing automation, analytics, CRM | Self-attestation questionnaire + public security posture review |
| Tier 4 — Low | Office supplies, travel booking, generic SaaS | Standard procurement clauses only |
DPDP Act in your stack?
Get a DPDP gap assessment
Free 30-minute call. We map your data flows against DPDP §8 obligations and tell you exactly which gaps to fix first. Auditor-defensible output.
Book DPDP scoping call
Replies in 4 working hrs · India-only · Senior consultants