Back to Blog
TPRMVendor TieringRisk Classification

High, Medium, Low: How to Accurately Tier Your Third-Party Vendors

J

Jerisaliant

Author

Why Vendor Tiering Is Essential

Most organizations work with hundreds or even thousands of third parties. Applying the same depth of risk assessment to every vendor is neither practical nor necessary. Vendor tiering allocates assessment effort proportionally to risk, ensuring your highest-risk vendors receive the deepest scrutiny while lower-risk vendors are managed efficiently.

Tiering Criteria

Build your tiering model around these key dimensions:

Data Access

  • High: Access to sensitive personal data (health, financial, biometric), large volumes of PII, or data from vulnerable populations (children).
  • Medium: Access to non-sensitive personal data (business contact information) or limited PII volumes.
  • Low: No access to personal data. May handle only non-personal or aggregated data.

System Access

  • High: Direct access to production systems, networks, or infrastructure (cloud providers, managed service providers, remote access tools).
  • Medium: Access to non-production systems or limited application-level access.
  • Low: No system access (physical goods suppliers, office services).

Business Criticality

  • High: Business operations would be severely disrupted if the vendor failed or was compromised.
  • Medium: Disruption would be significant but manageable with workarounds.
  • Low: Easily replaceable with minimal operational impact.

Regulatory Exposure

  • High: Vendor processes data subject to specific regulations (GDPR, HIPAA, PCI DSS).
  • Medium: General compliance requirements apply.
  • Low: Minimal regulatory implications.

Scoring and Classification

Assign numerical scores to each dimension and calculate a composite score. Common approaches:

  • Weighted scoring: Assign different weights to each dimension (e.g., data access 40%, system access 25%, business criticality 20%, regulatory 15%).
  • Maximum risk rule: The vendor's tier is determined by its highest-risk dimension (a vendor with High data access is automatically Tier 1, regardless of other scores).

Assessment Frequency by Tier

TierAssessment TypeFrequency
Tier 1 (High)Full assessment + on-site auditAnnually + continuous monitoring
Tier 2 (Medium)Standard questionnaire + evidence reviewEvery 18-24 months
Tier 3 (Low)Self-assessment or certification checkEvery 2-3 years

Dynamic Re-Tiering

Vendor tiers are not static. Trigger re-tiering when:

  • The vendor's scope of work changes (e.g., now handling more sensitive data)
  • The vendor suffers a security incident
  • Regulatory requirements change
  • The vendor acquires new sub-processors or changes its infrastructure

Jerisaliant's TPRM module includes automated tiering based on configurable criteria, with dynamic re-tiering triggers and assessment scheduling by tier.

Ensure DPDPA Compliance Today

Ready to make your business compliant? Run a free gap assessment or talk to our experts.

Run Free Gap AssessmentRequest Demo