ACSC-Aligned Vendor Risk Assessment Template for Australian SMBs: 15 Questions to Ask Before You Sign

Why Australian SMBs need a vendor risk checklist

Every Australian SMB now depends on third parties: cloud accounting, payroll, CRM, managed IT, cyber tools, backup providers, and industry-specific SaaS. That convenience creates concentration risk, because a weakness in one vendor can expose many customers at once.

Recent 2026 software supply chain incidents showed how quickly trust can break when vendors, packages, or CI/CD environments are compromised. The lesson for SMBs is simple: do not assess a vendor on features and price alone. Assess whether they can protect your data, detect incidents quickly, recover operations, and tell you the truth when something goes wrong.​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌

‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​

The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and the Information Security Manual (ISM) both emphasise foundational controls such as access control, logging, encryption, secure configuration, incident response, and business continuity. Your vendor assessment should map back to those principles, even if your business is not formally required to comply with the ISM.

The 15-question ACSC-aligned vendor risk assessment template

Send these questions before contract signing and insist on written answers.

1. Are you currently certified to ISO/IEC 27001, or actively audited against an equivalent information security framework?
2. Do you have a current SOC 2 Type II report, independent security assessment, or other third-party assurance report available under NDA?
3. Where is customer data stored, processed, and backed up, including primary and disaster recovery locations?
4. Can you provide a current list of sub-processors or subcontractors that may access, host, or process our data?
5. What is your breach notification SLA, and within how many hours of confirmed or suspected compromise will you notify customers?
6. Is all customer data encrypted in transit using modern TLS and encrypted at rest using industry-standard controls?
7. Is multi-factor authentication enforced for your administrative staff, support staff, and customer admin accounts?
8. How do you manage privileged access, and do you apply least-privilege access controls for internal staff and contractors?
9. How often do you perform penetration testing, who performs it, and will you provide an executive summary of findings and remediation status?
10. Do you maintain a documented incident response plan, and has it been tested through tabletop or live exercises in the past 12 months?
11. Do you maintain central logging and monitoring capable of detecting unauthorised access, suspicious admin activity, and data exfiltration attempts?
12. What is your business continuity and disaster recovery capability, including recovery time objective (RTO) and recovery point objective (RPO)?
13. Can customer data be exported in a usable format on request, and what happens to our data at contract termination?
14. How do you secure software changes, updates, and third-party dependencies in your development and deployment pipeline?
15. What contractual security commitments will you include regarding notification, audit rights, data handling, access revocation, and secure deletion?

These questions align well with ISM themes including identity and access management, cryptographic controls, event logging, incident management, system assurance, and availability.

How to score vendors using Red, Amber, Green

A simple scoring model helps SMBs make decisions quickly without pretending every vendor needs a full enterprise audit.

Green means the vendor provides clear, specific, written evidence and mature controls. Examples include current ISO 27001 certification, documented MFA enforcement, named Australian or approved data residency options, defined breach notification timeframes, annual penetration testing, and tested recovery plans.

Amber means the vendor has partial controls, vague answers, or controls that exist but are not consistently enforced. Examples include “MFA available but not enforced”, “penetration testing performed occasionally”, or “data may be processed globally depending on service architecture”.

Red means the vendor cannot answer, refuses to share basic security information, has no incident response process, no meaningful access control, no sub-processor transparency, or no defined notification SLA.

A practical SMB scoring approach:

• Green = 2 points
• Amber = 1 point
• Red = 0 points

Decision guide:

• 25-30 points: Low relative risk. Suitable for most SMB use cases, subject to contract review.
• 18-24 points: Medium risk. Proceed only with remediation actions, stronger contract clauses, or limited data exposure.
• 0-17 points: High risk. Do not proceed unless the service is business-critical and compensating controls are in place.

Override rule: any Red on breach notification, MFA enforcement, encryption, privileged access, or business continuity should trigger legal and security review before signing.

What good answers look like in practice

The best vendor responses are short, precise, and evidence-backed. “We are ISO 27001 certified, certificate available on request” is better than “we follow best practice”. “We notify customers within 24 hours of confirmed breach” is better than “we notify promptly”.

Australian SMBs should also look for contract language that matches the questionnaire. If the sales team promises rapid notification, Australian hosting, or strong backup coverage, those commitments should appear in the agreement, statement of work, or security schedule.

For higher-risk vendors, such as managed IT providers, payroll systems, medical software, finance platforms, or any service handling sensitive customer information, ask for supporting documents. Useful evidence includes a security overview, penetration test summary, architecture diagram, data retention policy, and business continuity summary. If a vendor refuses every request, that is a risk signal in itself.

FAQ

Conclusion

Vendor risk is now a core business risk for Australian SMBs. Use this 15-question ACSC-aligned template before every new SaaS purchase, outsourced IT engagement, or major contract renewal, then score each vendor Red, Amber, or Green so decisions are consistent and defensible.

If you want help turning this checklist into a procurement template, supplier onboarding form, or contract review process, visit consult.lil.business for a free cybersecurity assessment.

References

1. ACSC Small Business Cyber Security Guide
2. ACSC Essential Eight Maturity Model
3. Australian Government Information Security Manual (ISM)
4. NIST Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (SP 800-161 Rev. 1)
5. SANS: Third-Party Risk Management Framework