Back
Newsroom
12 min read

How to Conduct a Third-Party Risk Assessment: A UK Guide

Structured third-party risk assessment workflow on a desk, showing documentation and analysis materials.

Why UK firms need a structured third-party risk assessment

UK businesses now operate in a regulatory environment where a third-party incident becomes your incident by default. Under UK GDPR, a controller is liable for breaches caused by its processors. Under the Digital Operational Resilience Act (DORA), which reaches UK firms with EU operations, ICT third-party risk is a named category of operational risk the board is accountable for. The upcoming UK replacement for NIS 2 makes similar demands of firms in critical sectors. This is the context in which a credible TPRM programme now has to operate.

The question is no longer whether to assess third parties. It is whether your assessment process is defensible when a supplier fails and you are explaining yourself to the ICO, the FCA, or a customer’s legal team. The organisations that get this right operate the assessment programme end-to-end: a mapped supplier universe, tiered by operational dependency and data exposure, with clear scoring logic, documented SLAs, and board-ready reporting. The organisations that do not usually have the intent but lack the capacity.

Stage 1: Scope and tiering

Not every supplier needs the same level of scrutiny. The first step in any third-party risk assessment is to map your supplier universe and tier each vendor by operational dependency, data exposure, and regulatory sensitivity. Our vendor due diligence framework covers the tiering logic in more depth.

A UK-appropriate tiering model:

  • Tier 1 (Critical): Handles personal or sensitive data, has privileged access to production systems, or supports a critical business service. Full assessment, annual reassessment, contractual audit rights, continuous monitoring.
  • Tier 2 (Moderate): Has some data access or system integration but is not critical to service continuity. Shortened assessment, evidence sampling, biennial reassessment.
  • Tier 3 (Low): No sensitive data, no production system access. Basic compliance check and a signed Data Processing Agreement if any personal data is involved.

Tier first, document why. That single step keeps the programme proportionate and gives you a defensible audit trail. It is also where scoring logic, assessment templates, and SLAs should be configured so the rest of the process runs consistently rather than case-by-case.

Stage 2: Evidence collection and validation

The questionnaire is the workhorse of the assessment, but the questionnaire is not the assessment. The assessment is the evidence behind the answers. A vendor saying ‘yes we encrypt data at rest’ is not evidence. A section of their ISO 27001 Statement of Applicability referencing control A.10.1, or a SOC 2 Type II report paragraph describing the control and how it was tested, is evidence.

Do not write your own questionnaire from scratch. Start from an accepted framework and adapt:

  • Standardised Information Gathering (SIG) questionnaire from Shared Assessments, used across financial services globally.
  • Cyber Essentials or Cyber Essentials Plus self-assessment, useful for UK-centric and smaller suppliers.
  • ISO 27001 Statement of Applicability, if the vendor is certified, mapped against your own risk priorities.

The evidence pack for a Tier 1 vendor should include:

  • Current ISO 27001 certificate with scope statement, or SOC 2 Type II report dated within the last 12 months.
  • A Data Processing Agreement aligned to UK GDPR Article 28 if personal data is processed.
  • Business continuity and disaster recovery documentation with tested RPO and RTO figures.
  • List of sub-processors or sub-contractors that will have access to your data.
  • Incident response process, including notification timelines that meet your own UK GDPR 72-hour obligation.
  • Evidence of penetration testing within the last 12 months.

Evidence collection is where most internal programmes stall. Chasing vendors over email, validating documents against scope, and following up on missing artefacts is time-consuming, repetitive work. It is also the work that cannot be skipped without the assessment becoming decorative.

Stage 3: Control review, scoring and recommendations

An independent reviewer works through the questionnaire responses and the supporting evidence. The output is a control review with a score against each domain, a gap list, and a set of recommendations: what to require contractually, what to compensate for internally, and what to flag for escalation. Independence matters here. A review done by the same person who procured the vendor is not a review, it is a defence.

Common gaps in UK vendor assessments:

  • ISO 27001 scope does not cover the service you are buying. This happens more often than most firms realise.
  • SOC 2 report is Type I (point-in-time design) rather than Type II (operating effectiveness over a period). Type I is thin evidence for critical vendors.
  • Data is stored outside the UK and no adequacy decision or Standard Contractual Clauses are in place.
  • Sub-processors are listed but no onward flow-down of UK GDPR obligations is documented.
  • Penetration test is over 18 months old, or was scoped to exclude the service you are procuring.

Each gap should have an impact rating and a mitigation route. The mitigation is a contractual clause (the vendor commits to fix it by a date), a compensating control on your side (you add monitoring or encryption in transit), or a risk acceptance with a named owner. Remediation tracking and follow-up is the part of the process that most firms treat as optional and most regulators treat as mandatory.

Stage 4: Residual risk scoring and sign-off

The residual risk score is what is left after controls and mitigations are applied. A simple and defensible approach is a heat map: likelihood on one axis, impact on the other, with a small number of bands (low, moderate, high, severe).

Risk acceptance, though, is not something you can outsource. It is the one part of a TPRM programme that must stay with the customer. A risk at high residual must be explicitly accepted by a named individual inside your organisation with the authority to do so. This is almost never the security team. It is the business sponsor who is choosing to use the vendor. The security team’s job, or your TPRM partner’s job, is to make the risk visible. The business’s job is to own it. This is where governance and audit processes earn their keep.

The well-run programmes separate these cleanly: everything operational, from assessments to remediation chasing to continuous monitoring, is handled by a dedicated team. What stays with the customer is deciding which suppliers are in scope, accepting residual risk, and handling internal escalations. That split is what lets executives focus on risk decisions rather than risk administration.

Stage 5: Continuous monitoring and governance reporting

A third-party risk assessment is not finished when the contract is signed. Tier 1 vendors need continuous monitoring. A credible monitoring programme for a UK firm includes:

  • Annual questionnaire refresh with updated evidence for Tier 1 suppliers, plus trigger-based reassessment after material changes such as acquisition, change of hosting, change of sub-processors, or a publicly disclosed incident.
  • Tracking of the vendor’s public security signals: is their ISO 27001 certificate still current, has their SOC 2 report been updated, are they named in breach disclosures or regulatory actions.
  • Contract clauses that give you audit rights and incident notification rights, actively enforced rather than filed.
  • Board-ready reporting that surfaces risk heatmaps, overdue items, trends, and control gaps, with monthly operational summaries and quarterly deep dives for the Risk Committee.

Without this layer, a TPRM programme becomes a snapshot that goes stale within months. With it, the programme is a living view of third-party risk that executives can actually act on.

How Logica Security runs this for UK firms

Third-party risk assessment is a capacity problem as much as a capability problem. Most UK security teams know what good looks like; they do not have the hours to do it consistently across a vendor population of 200, 500, or 2,000. Logica Security’s TPRM service is a scalable, done-for-you managed service that takes ownership of the end-to-end process. Your team keeps oversight. We handle the work.

The service runs in four phases. Onboarding and Discovery maps your supplier universe, tiers vendors by operational dependency and data exposure, and configures assessment templates, scoring logic, and SLAs to your requirements. Baseline and Clearance takes responsibility for your existing backlog, contacting suppliers, completing assessments and validating evidence, with live visibility of progress and emerging risk levels. Continuous Monitoring then runs the ongoing programme: assessments, documentation validation, and critical-vendor monitoring, with immediate escalation of risk changes, issues, or exceptions. Reporting and Governance delivers monthly summaries, quarterly deep dives, and annual board-level reporting, with dashboards covering risk heatmaps, overdue items, trends, and control gaps.

What stays with you: deciding which suppliers are in scope, final risk acceptance decisions, and internal escalations. Everything else is run by our team. That is what lets executives focus on risk decisions rather than risk administration, without hiring costs, key-person dependency, or coverage gaps.

For firms operating under DORA, NIS 2, or ISO 27001, we evidence compliance with the applicable regulatory or best-practice framework for your operations. Optional add-ons cover DORA operational resilience mapping, stress testing, tabletop exercises, and onsite assessments.

If you are building a programme from the ground up or looking to strengthen oversight of your existing vendors and suppliers, a short exploratory call is the fastest way to clarify your options and next steps.

Key takeaways

  • A third-party risk assessment has five stages: scope and tiering, evidence collection and validation, control review and scoring, residual risk sign-off, and continuous monitoring with governance reporting.
  • Tier vendors first by operational dependency and data exposure. Proportionality is the difference between a programme that works and a programme that drowns.
  • Evidence beats assertion. A vendor claim without a supporting document is a conversation, not an assessment.
  • Risk acceptance stays with the customer. Operational execution (assessments, evidence chasing, remediation tracking, monitoring, reporting) is the part that can be run as a managed service.
  • Continuous monitoring and board-ready reporting turn a point-in-time assessment into a living view of third-party risk.

Related Posts

Legal documentation representing UK GDPR Article 28 data processing agreement review.
10 min read

UK GDPR Third-Party Data Processing Requirements

Read More
Modern corporate meeting space representing the board-level scope of third-party risk management.
10 min read

What Is TPRM? A Plain-English Guide for UK Businesses

Read More

Logica Security is a UK based cybersecurity consultancy specialising in regulated and high-risk industries. We support organisations across cyber security, operational resilience and supplier risk.

©  Logica Security Limited | Company Registration: 11806049. All rights reserved.