--- title: "ISO 27036 Third-Party Risk Checklist (Vendor Due Diligence + Monitoring)" canonical_url: "https://www.sorena.io/artifacts/global/iso-27036/third-party-risk-checklist" source_url: "https://www.sorena.io/artifacts/global/iso-27036/third-party-risk-checklist" author: "Sorena AI" description: "An ISO/IEC 27036-aligned third-party risk checklist: supplier tiering, vendor due diligence, supplier selection criteria, contract security clauses." published_at: "2026-03-04" updated_at: "2026-03-04" keywords: - "ISO 27036 third party risk checklist" - "ISO/IEC 27036 vendor risk checklist" - "third party risk management checklist" - "TPRM checklist" - "vendor due diligence checklist" - "supplier security checklist" - "supplier selection checklist" - "supplier agreement checklist" - "contract security clauses checklist" - "supplier assurance evidence checklist" - "compliance monitoring and enforcement plan" - "corrective actions workflow" - "indirect suppliers and subcontractors checklist" - "cloud vendor security checklist" - "SaaS due diligence checklist" - "supply chain security checklist" - "GLOBAL compliance" - "ISO/IEC 27036" - "Third-party risk management" - "Vendor due diligence" - "Supplier monitoring" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ISO 27036 Third-Party Risk Checklist (Vendor Due Diligence + Monitoring) An ISO/IEC 27036-aligned third-party risk checklist: supplier tiering, vendor due diligence, supplier selection criteria, contract security clauses. *Checklist* *GLOBAL* ## ISO 27036 Third Party Risk Checklist A procurement + security operations checklist you can run repeatedly across suppliers and vendors. Aligned to ISO/IEC 27036-2 life cycle processes: planning, selection, agreement, and supplier relationship management. ISO/IEC 27036-2 structures supplier relationship security using a supplier relationship life cycle and expects compliance monitoring and enforcement with corrective actions. ISO/IEC 27036-3 adds deeper guidance for hardware, software, and services supply chain security, and ISO/IEC 27036-4 adds cloud service guidance. This checklist operationalizes those requirements as a repeatable third-party risk management flow across supplier onboarding, execution, change, and exit. ## How to use this ISO 27036 checklist (tiered, evidence-first) Run this checklist per supplier relationship instance, not once per year as a generic questionnaire. The goal is to produce a traceable evidence pack: tiering rationale, due diligence outputs, agreement clauses and deviations, monitoring records, and corrective actions. Apply depth based on tier. High-risk suppliers get deeper due diligence, stronger contract clauses, and tighter monitoring cadence. - Define owner per step: procurement owner, security reviewer, legal reviewer, service owner - Attach evidence to each checklist item and avoid unsupported yes-or-no answers - Document exceptions and compensating controls in an exceptions register *Recommended next step* *Placement: after the checklist block* ## Turn ISO 27036 Third Party Risk Checklist into an operational assessment Assessment Autopilot can take ISO 27036 Third Party Risk Checklist from turning this checklist into an operational workflow to a reusable workflow inside Sorena. Teams working on ISO 27036 can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Assessment Autopilot for ISO 27036 Third Party Risk Checklist](/solutions/assessment.md): Start from ISO 27036 Third Party Risk Checklist and turn the guidance into owned tasks, evidence requests, and review checkpoints. - [Talk through ISO 27036](/contact.md): Review your current process, evidence gaps, and next steps for ISO 27036 Third Party Risk Checklist. ## 1) Supplier relationship planning checklist (define requirements before choosing vendors) Planning prevents vendor lock-in to insecure choices. Define information security foundations, tiering criteria, and what an acceptable supplier looks like before you evaluate suppliers. Planning outputs become inputs to selection, agreement, and monitoring. - Define scope: what product/service is procured, what data types are involved, what systems are touched, what connectivity exists - Tier the supplier relationship instance (criticality + access + data sensitivity + jurisdiction) - Define baseline requirements framework per tier (minimum controls and evidence expectations) - Define monitoring expectations upfront (cadence, triggers, and enforcement model) ## 2) Supplier selection + due diligence checklist (evidence collection and risk decision) Supplier selection should be criteria-driven and evidence-backed. Collect proof that the supplier can meet agreement requirements and support compliance monitoring and enforcement. For higher tiers, include visibility into subcontractors and indirect suppliers when they materially affect risk. - Confirm governance: security ownership, escalation contacts, and incident response points of contact - Request assurance evidence: ISMS scope statements, independent assurance reports, control summaries tied to your requirements - Validate operational capabilities: vulnerability management, patching, secure update process, logging and monitoring, backup and restore testing - Assess supply chain: subcontractors, hosting providers, critical dependencies, and flow-down obligations - Software or component intensive suppliers: request dependency transparency, update process evidence, and transition or disposal controls where material - Cloud services: clarify shared responsibility (provider vs customer) and require cloud-specific evidence (isolation, identity, logging, region controls) ## 3) Supplier agreement checklist (bind requirements into enforceable clauses) ISO 27036-2 is often used as agreement requirements. The agreement should translate requirements into measurable obligations, acceptance criteria, evidence deliverables, and a compliance monitoring and enforcement plan. Avoid ambiguity: define timelines, required fields, and what happens on non-compliance. - Contract clause set by tier: responsibilities, data handling, access controls, change management, incident notification, termination/exit - Subcontractors: disclosure and approval model, flow-down obligations, location/jurisdiction constraints where applicable - Monitoring and enforcement: audit model, evidence cadence, corrective actions process, and escalation thresholds - Change and incident procedures: notification windows, required fields, cooperation duties, and post-incident actions ## 4) Onboarding + transition checklist (make controls real in operations) After signature, onboarding is where most supplier security breaks. Operationalize the agreement: provision least privilege access, configure integrations securely, and validate controls before full go-live. For complex services, require a transition plan and confirm unexpected-event handling during transition. - Access: least privilege roles, privileged access approval, and removal process - Security configuration baseline: logging, monitoring, encryption settings, and admin protections - Data flows: validate intended processing locations and storage/retention requirements - Transition plan: responsibilities, milestones, rollback, and communication paths for unexpected events - For product or software suppliers, confirm secure transition into operation and clear ownership of maintenance activities ## 5) Ongoing monitoring + enforcement checklist (the audit-proof part) ISO 27036-2 expects ongoing supplier relationship management: maintain information security, train impacted personnel, monitor and enforce compliance, and manage changes and incidents according to agreed procedures. Treat monitoring as a calendarized program with trend tracking and remediation closure, not an inbox of ad-hoc requests. - Evidence refresh cadence: periodic review plus event-driven review on material change - Compliance monitoring records: who reviewed what, findings, corrective actions, and closure proof - Change monitoring: location changes, ownership changes, certification loss/achievement, business continuity capability changes - Incident handling: notifications, containment collaboration, post-mortems, and corrective actions tracking - Escalation and termination: when risk cannot be reduced to acceptable levels, activate the exit plan ## 6) Offboarding + termination checklist (exit is a control) Termination is a security control when risks cannot be reduced. Plan exit early for high-tier suppliers: data return/deletion, access removal, and continuity of critical services. Keep evidence of termination actions and confirmations. - Access removal: disable accounts, revoke keys/tokens, rotate shared secrets - Data return/deletion: retention rules, deletion confirmations, backups handling, and residual data risks - Asset and documentation return: configurations, runbooks, logs per retention, and evidence index closure - Transition continuity: alternate supplier strategy and internal fallback plan - For hardware, software, or critical service suppliers, confirm disposal or decommissioning controls where assets or components remain in the environment ## Primary sources - [ISO/IEC 27036-2:2022 - ISO standard page (Reference 82060)](https://www.iso.org/standard/82060.html?ref=sorena.io) - Normative requirements; defines supplier relationship life cycle processes and monitoring/enforcement expectations. - [ISO/IEC 27036-1:2021 - ISO standard page (Reference 82905)](https://www.iso.org/standard/82905.html?ref=sorena.io) - Overview and concepts: supplier relationship types, risks, interdependencies, and indirect suppliers. - [ISO/IEC 27036-3:2023 - ISO standard page](https://www.iso.org/standard/85200.html?ref=sorena.io) - Guidance for hardware, software, and services supply chain security used when suppliers have deeper product or component risk. - [ISO/IEC 27036-4:2016 - ISO standard page (Reference 59689)](https://www.iso.org/standard/59689.html?ref=sorena.io) - Cloud services supplier relationship guidance across the lifecycle and supply chain. - [ISO/IEC 27001:2022 - ISO standard page](https://www.iso.org/standard/27001?ref=sorena.io) - ISMS context and audit expectations that typically require supplier assurance evidence. - [ISO/IEC 27002 - ISO standard page](https://www.iso.org/standard/75652.html?ref=sorena.io) - Baseline controls that ISO 27036 expands with supplier lifecycle requirements and guidance. ## Related Topic Guides - [ISO 27036 Compliance (Supplier Relationship Security Program)](/artifacts/global/iso-27036/compliance.md): A practical ISO/IEC 27036 compliance playbook for supplier relationship security: governance, lifecycle processes (planning, selection, agreement. - [ISO 27036 Contract Security Clauses (Supplier Agreements + Cloud)](/artifacts/global/iso-27036/contract-security-clauses.md): A practical ISO/IEC 27036 contract clause pack: supplier agreement requirements, audit and assurance evidence, subcontractor visibility. - [ISO 27036 FAQ (Supplier Security, Indirect Suppliers, Cloud Supply Chain)](/artifacts/global/iso-27036/faq.md): ISO/IEC 27036 FAQ for third-party risk management (TPRM): which parts to use across 27036-1, 27036-2, 27036-3, and 27036-4, supplier relationship life cycle. - [ISO 27036 Supplier Assurance Framework (Tiering, Evidence, Monitoring)](/artifacts/global/iso-27036/supplier-assurance-framework.md): Build an ISO/IEC 27036-aligned supplier assurance framework: tier suppliers, define supplier selection criteria and agreement requirements. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/iso-27036/third-party-risk-checklist