Supply chain risk management is the discipline of knowing which third parties touch your data, how exposed each one makes you, and what you would do if one was breached. For an SME that means a vendor inventory, a classification of each supplier by risk, and the right questions before you hand over data.
The uncomfortable truth is that your data no longer sits in one place you control. It sits in your accounting platform, your CRM, your payroll provider, your email host and the dozen smaller SaaS apps your team signed up for. A breach at any one of them is your problem — and potentially your reportable obligation under the Privacy Act.
Why third-party risk is now a leading breach vector
For years the security conversation focused on hardening your own perimeter — firewalls, patching, multi-factor authentication. That work still matters, but attackers worked out something obvious: it is far easier to breach one supplier with weak controls and ride that access into hundreds of downstream businesses than to attack each one individually. So the breach rarely happens inside your four walls. It happens at a vendor — a software provider, an outsourced bookkeeper, a marketing platform — and your data is collateral. You did everything right with MFA and backups, and you still end up notifying customers because a supplier you trusted left a database exposed.
The Australian context makes this concrete. The last few years have seen a string of large supplier and service-provider breaches where the headline organisation was big, but the real damage fanned out across thousands of smaller businesses whose data was processed on their behalf. When a payroll outsourcer or a legal-services platform is breached, every business that fed it data is suddenly exposed — and most had no idea how much was sitting there, or how weak that supplier’s controls were. The lesson is blunt: your security posture is only as strong as the weakest supplier holding your data.
Doing vendor risk management without enterprise GRC
Large organisations run formal governance, risk and compliance (GRC) programmes with dedicated teams, risk registers and continuous monitoring. An SME has none of that and does not need it. What you need is a “lite” version that captures most of the value for a fraction of the effort — five habits.
1. Maintain a vendor inventory
You cannot manage risk you cannot see. List every external party that holds, processes or can access your data and systems. Most SMEs are surprised by how long this list is once they write it down — accounting software, CRM, payroll, Microsoft 365, file storage, e-signature tools, the booking system, the marketing platform, the backup provider, and every smaller app a team member signed up for on a credit card. That last category is the dangerous one, and it overlaps with the problem we cover in our piece on auditing SaaS sprawl and hidden apps. The inventory does not need to be sophisticated — a spreadsheet with the vendor name, what data they hold, who owns the relationship, and how critical they are will do. The discipline is keeping it current.
2. Classify by data sensitivity and criticality
Not every vendor deserves the same scrutiny. Sort your inventory along two axes: how sensitive is the data they hold, and how badly would it hurt if they went down or were breached? The handful of suppliers that hold sensitive personal data, payment information or your core operational systems are your tier-one vendors — they get real questions and contract scrutiny. The rest get a lighter touch. Trying to assess every supplier to the same depth is how SMEs give up on vendor risk entirely.
3. Ask key suppliers the right questions
For your tier-one suppliers, a short questionnaire does most of the work. You are not auditing them; you are checking they are not obviously negligent and getting answers on the record. The questions that matter:
- Certifications. Do they hold ISO 27001, SOC 2, IRAP or an equivalent? A current certification is not a guarantee, but it tells you an independent party has looked at their controls.
- MFA and access control. Is multi-factor authentication enforced on their systems and on the admin access to your data?
- Breach notification. Will they notify you, and how quickly, if they suffer an incident affecting your data? Get the timeframe in writing.
- Data location. Where is your data physically stored and processed? Onshore in Australia, or offshore in a jurisdiction with different privacy rules?
- Sub-processors. Who else do they hand your data to? A vendor’s own suppliers become your risk, and the chain is often longer than anyone admits.
If a supplier cannot or will not answer these, that is itself a finding. A vendor that bristles at basic security questions is telling you something about how they treat your data.
4. Bake security clauses into contracts
Verbal assurances are worthless when something goes wrong. Where you have negotiating room, get the important commitments into the contract or data-processing agreement: a defined breach-notification window, a requirement to maintain reasonable security controls, restrictions on where data is stored, limits on sub-processors, and an obligation to return or destroy your data when the relationship ends. For the suppliers you choose and pay, this is where your virtual CIO earns their keep — reading the agreement before you sign it.
5. Review annually
Vendor risk is not set-and-forget. Suppliers change ownership, move data offshore, or quietly degrade their security. Once a year, pull out the inventory, confirm the tier-one suppliers still hold the certifications they claimed, and remove the vendors you no longer use. The annual review is the single habit that keeps the whole exercise honest.
A Box Hill example
A professional services firm in Box Hill we work with came to us after a near-miss. One of their outsourced administrative suppliers had suffered a data incident, and the firm spent a frantic week trying to work out whether any client data was caught up in it — only to discover they had no record of what that supplier held or where it was stored. The answer turned out to be “not much,” but the panic was real.
We built them a vendor inventory from scratch, classified their suppliers, and sent the tier-one ones a short questionnaire. Two could not confirm MFA on their admin access; one was storing data offshore the firm did not know about. None of it was catastrophic, but all of it was the kind of thing you want to know before an incident, not during one.
The flip side: your customers are now assessing you
Here is the part SMEs often miss. While you assess your suppliers, your customers — especially the larger ones — are assessing you. Vendor questionnaires flow in both directions. If you supply a listed company, a government department or any sizeable organisation, expect their procurement team to send you the same questions you should be asking your own vendors: what certifications do you hold, is MFA enforced, where is data stored, how fast will you notify us of a breach.
This is where demonstrating a recognised baseline pays off commercially, not just defensively. Holding Essential Eight alignment, an SMB1001 certification, ISO 27001 or SOC 2 turns a painful back-and-forth into a single document you hand over. We cover the SME-focused option in our guide to Essential Eight compliance for Melbourne businesses, and our cyber insurance guide for Australian SMEs shows how these credentials connect. The business that can answer the questionnaire quickly wins the work over the one that cannot.
Offboarding vendors properly
The riskiest vendors are often the ones you stopped using but never properly disconnected. A trial app that still has an active OAuth grant into your Microsoft 365, a former bookkeeper whose login was never disabled, a marketing tool with a standing API token reading your customer list — these are live doors into your environment nobody is watching.
Offboarding a vendor means more than cancelling the subscription. Revoke their OAuth app permissions in Microsoft 365 or Google Workspace, disable any service accounts or API keys, confirm they have returned or destroyed your data per the contract, and remove any standing access your staff held to their platform. Reviewing those OAuth grants routinely surfaces forgotten third-party access no one remembers approving — our cyber security services include exactly this kind of access hygiene.
Frequently asked questions
What is the difference between supply chain risk and third-party risk?
Third-party risk is the risk introduced by any external party you deal with directly. Supply-chain risk is broader and includes the parties behind those parties — your vendor’s vendors, the sub-processors handling your data further down the chain. For a small business the practical work is the same: know who holds your data, and how exposed each link makes you.
Do we need expensive GRC software to do this?
No. For an SME a maintained spreadsheet, a sensible classification of suppliers by risk, a short questionnaire for the important ones and an annual review will deliver almost all the benefit. Dedicated third-party risk platforms are built for enterprises managing hundreds of vendors under regulatory mandate. Start with the discipline, not the tooling.
What do we do if a key supplier is breached?
Check your inventory to confirm what data the supplier held, contact them for confirmation of what was affected, and assess whether the incident triggers your obligations under the OAIC’s Notifiable Data Breaches scheme. If personal information you are responsible for was likely accessed and serious harm is likely, you may need to notify the OAIC and affected individuals — far easier when you already know what the supplier held.
Where to start
TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers and a 24/7 NOC at Tecoma — no offshore helpdesk. We help SMEs get a grip on third-party risk without enterprise overhead: building the vendor inventory, classifying suppliers, drafting the questions, cleaning up forgotten OAuth access, and getting you ready to answer your own customers’ security questionnaires. If you do not have a vendor inventory, that is the place to start. Get in touch and we will scope it with you.
Enterprise vendor risk management assumes you have a four-person governance, risk and compliance team. Most Melbourne SMEs have zero. This is a deliberately stripped ‘lite’ framework for businesses with 20 to 200 staff: three vendor tiers, a one-page questionnaire, the only evidence that matters, and the playbook for when a critical vendor fails the assessment.
Why the enterprise playbook fails for SMEs
Open any vendor risk management framework written for a bank or a listed company and you will find a 130-question security questionnaire, a quarterly review cadence, on-site audits, and a control library mapped to NIST CSF, ISO 27001, SOC 2, PCI DSS and the APRA standards. It works because there is a team paid full-time to run it.
An accounting firm in Hawthorn with 45 staff cannot run that programme. The office manager who ‘owns IT’ has neither the hours nor the technical background to read a SOC 2 Type II report properly, let alone challenge the boundaries it covers. And yet that same firm now uses 60 to 90 SaaS products that touch client data: Xero, a practice management system, an e-signature tool, four AI products, a payroll bureau, a document portal, a cloud archive, a CRM, and so on. The risk surface is the same as a mid-market enterprise. The team to manage it is not.
The lite framework below is what we run with our co-managed clients. It is opinionated, it ignores parts of the textbook on purpose, and it produces a defensible position that holds up in a cyber insurance application or a Privacy Act incident review. We have refined it across 12 years of running managed IT services in Melbourne since founding TechAssist in 2014, and it has now been deployed across professional services, healthcare admin, light manufacturing and not-for-profit clients.
The three-tier vendor categorisation
The single most useful move you can make is to stop treating all vendors the same. About 80% of the SaaS in a typical SME is low-risk; about 5% will hurt badly if it is breached or goes down. Sort the list once, properly, and you can focus your effort on the 5%.
Tier 1: Critical
A vendor is Tier 1 if any one of these is true:
- They process or store regulated personal data at scale (health records, financial accounts, legal matters, identity documents)
- Their outage stops the business from operating within 24 hours (your finance system, your line-of-business platform, your phone system, Microsoft 365)
- They have privileged access into your network, your identity provider, or your endpoints (your MSP, your security tooling, your remote support tools)
- They handle payments or move money
Expect 5 to 12 Tier 1 vendors in a typical SME. These get the full questionnaire, evidence requirements, and an annual review.
Tier 2: Important
A vendor is Tier 2 if they hold business data that you would care about leaking, but their outage is tolerable for a few days, or the data set is limited. Examples: your CRM, your marketing automation tool, your e-signature service, an HR information system that holds employee records, project management tools.
Expect 15 to 30 Tier 2 vendors. They get the short questionnaire and a light evidence check (the security page on their website is acceptable if it lists the right certifications).
Tier 3: Everyone else
Free productivity tools, internal-only utilities, vendors that hold nothing more sensitive than a contact list. The control is the procurement gate (someone signs off before the credit card goes in) and an annual list review. No questionnaire, no evidence, no annual reassessment.
Expect 30 to 60 Tier 3 vendors. The point is to have them on the list, not to spend any meaningful time on them.
The 12-question questionnaire that fits on one page
Long questionnaires (the SIG, the CAIQ, an internal 140-item monster) do not produce better risk decisions for SMEs. The vendor copies their answers from the last questionnaire, you have no way to verify most of it, and you sign anyway because you need the product. Strip it down to 12 questions that you will actually read.
| # | Question | What you are checking |
|---|
| 1 | Where is our data physically stored? List countries and providers (AWS, Azure, GCP, on-prem). | Australian Privacy Principle 8 obligations on cross-border disclosure |
| 2 | Do you hold a current SOC 2 Type II, ISO 27001, or IRAP assessment? Please attach. | Independent third-party assurance of controls |
| 3 | What is your data breach notification timeline to customers, in hours? | Whether they can meet your 72-hour OAIC obligation |
| 4 | Do you support single sign-on through Entra ID or Okta on our plan? | Identity hygiene; ability to off-board staff cleanly |
| 5 | Do you support multi-factor authentication for all users, including admins, on our plan? | The number-one preventable control |
| 6 | Are customer data encrypted at rest and in transit? Which algorithms? | Baseline cryptography |
| 7 | What is your data return and deletion process at contract end? Confirm timeline in days. | Off-boarding readiness |
| 8 | Do you subcontract any processing? List sub-processors and their function. | Fourth-party risk; same Privacy Act exposure |
| 9 | What is your published uptime target and the contractual remedy for missing it? | Service level reality vs marketing |
| 10 | How frequently do you back up customer data and what is the recovery point objective? | What you actually lose in a vendor incident |
| 11 | Have you had a security incident affecting customer data in the last 24 months? | History; willingness to disclose |
| 12 | Who is the named contact for security issues and what is their response time SLA? | Whether anyone will pick up the phone at 2 a.m. |
Twelve questions. One page. Most credible vendors can answer it in 30 minutes; if a Tier 1 vendor takes three weeks to respond or sends boilerplate that does not address the question, that is your answer. We have seen serious Australian SaaS vendors fill this out in a working day. We have also seen offshore platforms ignore it entirely. Both outcomes are useful information.
What ‘evidence’ you actually need
The textbook says: review their SOC 2 report, walk through their controls, validate their penetration testing, examine their incident response runbooks. In practice, for an SME, the evidence stack is much simpler. Either the vendor has an independent third-party attestation that you can rely on, or they do not.
Accept (Tier 1 and Tier 2)
- SOC 2 Type II covering at least the last 12 months and covering the product you are using. Type I is a snapshot and is worth far less. The scope matters – if the SOC 2 covers their corporate environment but not the production service you are buying, it is window dressing.
- ISO 27001 certification with a recent certificate (within the three-year cycle) and a scope statement that includes the relevant systems. Insist on the scope statement, not just the certificate number.
- IRAP assessment at PROTECTED or higher, for any vendor handling government-adjacent or sensitive data.
Acceptable with caveats (Tier 2 only)
- A current public security page that lists controls in detail and names specific frameworks they align with.
- A signed letter from their CISO or equivalent stating the controls in place, where no certification exists.
Not acceptable for Tier 1
- ‘We follow industry best practice.’
- ‘We are SOC 2 compliant’ with no report attached.
- ‘Our hosting provider (AWS) is certified.’ AWS being certified does not certify the customer running on AWS.
- A self-assessment questionnaire as the only evidence.
This is where most SME vendor programmes drift. The temptation is to accept a marketing page and move on because the alternative is to delay a project. Hold the line on Tier 1. Be pragmatic on Tier 2.
The playbook for when a key vendor fails
Here is what the textbook gets wrong: it implies that a failed vendor risk assessment means you switch vendors. In SME reality, you almost never do. You have a contract, you have integrations, you have user training, and switching costs are punishing. The realistic outcome of a failed assessment is risk acceptance with compensating mitigations.
The playbook we run with clients has five steps.
Step 1: Identify the specific gap
Not ‘they failed the questionnaire.’ Specifically: they have no SOC 2, their breach notification is 30 days, they do not support SSO on our tier, they will not name their sub-processors. Write down the actual gap.
Step 2: Quantify the exposure
What is the worst credible outcome if this gap is exploited? Loss of which data set, of what volume, with what regulatory and reputational consequences? Document the number of records and the personally identifiable information categories.
Step 3: Design compensating controls
Most gaps can be mitigated on your side. If they do not support SSO on your tier, enforce a strong password manager policy, rotate the shared credentials quarterly, and put an alert on the account. If their breach notification is 30 days, monitor publicly available breach feeds yourself. If they will not name sub-processors, restrict the data set you send them. If they do not have MFA on admin accounts, do not send them your most sensitive data.
Step 4: Document the acceptance
A risk acceptance document that names the gap, the mitigations, the residual risk, the business benefit of continuing, and the executive who signed off. This is what makes the position defensible later. Insurance underwriters and OAIC investigators do not expect perfection; they expect documented, considered decisions.
Step 5: Set a review date
Twelve months from now, are the mitigations still in place? Has the vendor improved their controls? Should the risk acceptance be renewed, withdrawn, or escalated?
A 70-staff law firm in Camberwell we work with ran this playbook recently on a US-based legal AI vendor. The vendor had no SOC 2, no SSO on the relevant tier, and stored data in US-East. The partners wanted the product. The compensating controls: a dedicated tenant configuration that limited what content could be sent to the tool, an enforced data classification policy on the matter management side, quarterly review of the vendor’s audit log exports, and a contractual addendum on breach notification. Risk accepted, documented, signed by the managing partner, reviewed annually. That is a defensible position.
The Australian Privacy Act 1988 angle
The Privacy Act amendments that came through in 2024 and 2025 changed the conversation for SMEs. The small business exemption is being narrowed; the maximum penalty for serious or repeated breaches is now the greater of $50 million, three times the benefit obtained, or 30% of adjusted turnover during the breach period. Vendor risk management is now a Privacy Act obligation in practice if not in name. The OAIC has been clear: if your vendor has a breach involving your customers’ data, you are the entity that has obligations to notify and remediate, not the vendor.
Australian Privacy Principle 8 (cross-border disclosure) is the clause that catches most SMEs. Sending personal information overseas – which you do every time you sign up for a US SaaS – generally requires that you take reasonable steps to ensure the overseas recipient does not breach the APPs. Your vendor risk assessment is the ‘reasonable steps’ evidence. Without it, you are exposed.
For the detail on what this means in practice, see our companion piece on the Australian Privacy Act for SMBs and what your IT team must do. The vendor risk programme described here is one of the four foundational pieces of that broader compliance posture, alongside data minimisation, identity hygiene, and breach response readiness.
The cyber insurance vendor list creep problem
Cyber insurance applications now routinely ask for a vendor list. Some carriers want the top 10 by data sensitivity; some want every vendor with access to your systems; the more thorough underwriters want the questionnaire results for your Tier 1 vendors. Three observations from running these applications for clients over the past two years.
First, the list grows every year and the questions get sharper. A 2023 application that asked ‘do you use any third-party SaaS providers’ became a 2025 application that asks ‘list all third-party providers with access to personal information, the data categories involved, and your last review date for each.’ Expect this trajectory to continue. Your vendor list and tiering work is also insurance application work.
Second, an inaccurate disclosure on the insurance application can void the policy. We have seen clients tick ‘all critical vendors reviewed in the last 12 months’ when the answer was closer to ‘three of them.’ If a breach involves an unreviewed vendor, the carrier may decline. Be honest on the form, even if the answer is uncomfortable.
Third, insurers increasingly want evidence that you have an MSP or internal team running this programme. A client of ours in Box Hill had a cyber renewal in late 2025 where the carrier asked for proof of an MSP relationship covering vendor risk before they would renew on the existing premium. The co-managed IT support arrangement we had in place satisfied the underwriter; without it, the renewal would have been 40% more expensive.
What to run yourself versus what to delegate
The split we recommend for a 30 to 150 staff SME is:
| Activity | Cadence | Owner |
|---|
| Maintain the vendor list (additions, terminations) | Continuous | Internal (finance or operations) |
| Procurement gate for new vendors | Per request | Internal sign-off, MSP triage |
| Tier assignment for new vendors | Per request | MSP |
| Questionnaire issuance and review | Annually for Tier 1, on signup for Tier 2 | MSP |
| Evidence collection and storage | Annually | MSP |
| Risk acceptance documentation | Per finding | Internal (executive) with MSP support |
| Breach intelligence monitoring | Continuous | MSP NOC |
| Annual programme review | Yearly | Joint |
The work the MSP does is the technical assessment and the document handling. The work the business owns is the procurement decision and the risk acceptance. That separation matters. Risk acceptance is a business decision, not an IT decision; the MSP should not be signing it off, but should provide the analysis that informs it.
Our own approach at TechAssist is to maintain a vendor register for each managed client, run the questionnaire cycle from our 24/7 NOC at Tecoma, and bring findings to the client quarterly. When a P1 event involves a vendor (a Microsoft 365 outage, a confirmed third-party breach, a vendor that fails an audit), our sub-15-minute P1 response runs from the same NOC, and our 13 Australian engineers are the team that does the assessment work. No offshore questionnaire mills, no automated tooling that emails the vendor and walks away from the answer.
A realistic first 90 days
If you have nothing in place today and you want to start, here is the shape of the first quarter.
Weeks 1 to 2: List every SaaS, every vendor with a login, every contractor with system access. Pull it from your accounting system (every recurring expense), your password manager, and your single sign-on tenant. Expect to find 30 to 50 more than anyone thought existed.
Weeks 3 to 4: Tier the list. Most vendors will be Tier 3 in five minutes. The Tier 1 conversation is the one that takes time and judgement.
Weeks 5 to 8: Issue the 12-question questionnaire to Tier 1. Chase, read, file. Note the gaps.
Weeks 9 to 12: Risk acceptances or remediations for each Tier 1 gap. Document the position. Schedule the 12-month review. Brief the executive on residual risk.
At the end of 90 days you have a defensible vendor risk position, a paper trail for insurance and Privacy Act purposes, and a list that you can maintain in two to four hours a month rather than rebuilding from scratch every year. That is the goal of the lite programme: defensible, sustainable, and proportionate.
Frequently Asked Questions
Do we need a vendor risk programme if we are under the small business turnover threshold for the Privacy Act?
The small business exemption (under $3 million turnover) is being narrowed by the Privacy Act reforms, and even today the exemption does not apply to health service providers, businesses that buy or sell personal information, contractors to the Commonwealth, and a few other categories. More practically, your customers, your insurers, and your enterprise prospects increasingly require vendor risk evidence regardless of whether the Act technically applies to you. We recommend a lite programme for every SME with more than 20 staff.
Is a SOC 2 Type I report sufficient for Tier 1 vendors?
No. SOC 2 Type I is a point-in-time review and tells you very little about how the vendor actually operates the controls over time. For Tier 1, insist on a SOC 2 Type II covering at least six months and ideally twelve. Type I is acceptable for Tier 2 alongside other evidence.
What do we do about vendors that refuse to respond to the questionnaire?
For Tier 1, non-response is the answer. Either escalate to their account team (often the account manager can move the request through their internal security team) or accept that you cannot use them for Tier 1 workloads. For Tier 2, document the non-response, look at their public security page, and consider whether the gap is acceptable. Some smaller vendors genuinely do not have the team to respond, and that is itself a risk signal.
Should we use an automated vendor risk platform?
Probably not for an SME under 100 staff. The platforms (UpGuard, SecurityScorecard, BitSight, OneTrust) are excellent but priced for an enterprise budget and produce more data than a small team can act on. A spreadsheet, a shared mailbox for evidence collection, and a calendar reminder for annual review will do the job for most SMEs. Revisit the tooling question if you grow past 200 staff or if your customers start asking for vendor risk evidence in a specific format.
Who in the business should own vendor risk?
The accountability should sit with a named executive (CFO, COO or general manager in a typical SME). The day-to-day work can be delegated to an office manager, an internal IT lead, or your MSP. The risk acceptance decisions cannot be delegated below executive level.
How does this fit with our existing cyber security work?
Vendor risk is one pillar of a broader programme that also includes endpoint and identity controls, backup and recovery, and incident response. Our Melbourne cyber security services wrap these pillars together for managed clients, and the vendor risk lite framework is part of the standard offering. If you want to talk through how the pieces fit for your business, our team is reachable through the contact page.