Vendor risk management.
Right first time.

Control the cyber risk associated with critical third-party relationships.

Introducing VCRM

Vendor Cyber Risk Manager uses a triage approach to accurately identify the cyber risk implications of working with third parties, based on the specific product or service offered, the data sharing required, and the contract terms.

It gives you a clear picture of vendor control gaps, indicating the level of risk they pose, and provides you with recommendations for remediation, directing you to apply appropriately rigorous measures.

The result — all the data you need to make informed decisions on onboarding new vendors, renegotiating current supply contracts, and terminating high-risk relationships.

Conduct deep-dive tailored assessments into your most critical relationships

Assess third-party cyber risk quickly, accurately and efficiently

Evaluate existing arrangements and prioritise necessary changes

Focus your resources on relationships posing the greatest risk

Create tailored supplier questionnaires based on your chosen security standard

Embed a vendor assurance process that fits current and future needs

VCRM – Developed by practitioners for practitioners.

Speak To An Expert

How it works

VCRM employs a four-stage process to help you quickly and effectively gather information, identify risk and manage new and current relationships.


Initial Assessment – we use a triage technique to identify all factors which impact the risk profile of a product or service to be procured, including data transfer and storage, payment handling, hosting infrastructure, and more.


Supplier Assessment – VCRM produces a tailored supplier questionnaire for each vendor which aligns with your chosen security standard (ISO, NIST, custom), and explores an appropriate level of detail based on business risk.


Assessment Report – you receive tailored reports for each vendor which highlight the level of cyber risk exposure, the control gaps which need to be addressed, and the specific cyber security measures which will be most effective.


Input to Procurement/Legal – using the output reports, you’ll be able to negotiate vendor contracts that reflect the inherent cyber risk of each individual third-party relationship.

How it helps

Once you have worked through the VCRM process for each of your critical third-party relationships, here’s what you can expect:

You’ll have a clear view of the information shared with each vendor, and the associated cyber risk in each case.

You’ll be able to quickly and effectively review current third-party relationships, remediating or terminating contracts where needed to reduce your exposure.

You’ll have the tools to make informed decisions on onboarding new vendors and understand the risk implications of each new relationship.

You’ll be able to achieve optimal protection levels, based on real business risk, without imposing unnecessary burdens on suppliers. 

If that’s where you want to be, let’s talk about how we get there.

VCRM in practice — energy

A regional energy company, with a wide range of suppliers of varying levels of maturity regarding cyber security, was concerned about potential cyber exposure via supplier relationships.

CRMG worked with the client to categorise suppliers based on the business criticality of the relationship and applied VCRM to implement a simple triage approach, determining the extent to which individual suppliers should be subjected to cyber security scrutiny.

This enabled the organisation to apply a ‘light touch’ to less critical suppliers and greater rigour to those that presented increased cyber risk. 

A process for monitoring the ongoing cyber risk status of existing suppliers was implemented, and CRMG trained information security, procurement and legal personnel to apply the new vendor assurance process.

The result — the company reduced costs while lowering cyber risk overall. The new process focuses on minimising supplier-introduced risk while reducing the admin overhead for less critical suppliers.

Find out more

VCRM is designed for organisations in any sector, sharing business-critical information with vendors or other third-parties.

If you’re ready to get started, set up a call with one of our expert advisors today.