TL;DR

Your business relies on SaaS tools and outsourced IT — but every vendor you onboard is a potential supply chain attack vector. 2026 has already seen Axios (100M+ weekly downloads), LiteLLM, and TeamPCP campaigns expose thousands of organisations through compromised third-party software. This ACSC-aligned 15-question vendor risk assessment template gives Australian SMBs a practical Red/Amber/Green scoring framework grounded in ASD/ACSC Information Security Manual (ISM) principles — send it to any vendor before signing, and you'll know exactly where their security posture stands.

Why Vendor Risk Assessment Is No Longer Optional

In March 2026, attackers compromised Axios — a JavaScript HTTP library with over 100 million weekly downloads — and published versions containing a cross-platform remote access trojan. Weeks later, the TeamPCP campaign cascaded through npm, PyPI, Docker Hub, and GitHub Actions, harvesting credentials at each stage to fund the next compromise. The common thread? Every victim trusted a vendor. Every breach started with a third party.

For Australian SMBs, the regulatory reality is equally stark. The ASD/ACSC Essential Eight Maturity Level Two explicitly requires third-party risk management. The ISM's Guidelines for Outsourcing (ISM control ISM-1788) mandates that organisations assess the security posture of external providers before granting access to systems or data. If you're not assessing vendors, you're accepting risk you cannot measure — and under the Notifiable Data Breaches scheme, "our vendor got hacked" is not a defence.

The solution is not expensive third-party risk platforms. It's a structured assessment you can send today.

The 15-Question ACSC-Aligned Vendor Assessment

Send this questionnaire to any SaaS provider, outsourced IT vendor, or cloud platform before contract signature. Each question maps to an ISM control or Essential Eight principle. Score Red (fail), Amber (partial compliance), or Green (fully compliant).

Section A: Governance & Certification

1. Do you hold a current ISO 27001 certification? ISM-1788 alignment: Outsourced service provider security posture.
Green: Current certificate covering the services we'll consume.
Amber: Certification in progress with target date within 6 months.
Red: No certification, no plan.

2. Can you provide a SOC 2 Type II report dated within the last 12 months? Relevant for vendors handling your data. A SOC 2 report demonstrates tested operational controls — not just a point-in-time snapshot.
Green: Report provided, clean opinion.
Amber: SOC 2 Type I only (design, not tested).
Red: No SOC report available.

3. Do you maintain a published sub-processor list with notification obligations? TeamPCP exploited downstream dependencies. If a vendor cannot tell you who their vendors are, you cannot assess your actual supply chain risk.
Green: Public sub-processor list with 30-day change notification.
Amber: List available on request only.
Red: No sub-processor tracking.

Section B: Data Protection

4. Is all Australian customer data stored and processed exclusively within Australia? ISM-0071: Data sovereignty and geographic location requirements.
Green: All data at rest and in transit stays in Australian data centres.
Amber: Data in Australia; support may access from offshore.
Red: Data stored offshore with no Australian option.

5. Is encryption (AES-256 or equivalent) enforced for all data at rest? ISM-1167: Cryptographic systems for data at rest.
Green: AES-256, keys managed in HSM or cloud KMS.
Amber: Encryption enabled but customer-managed keys not supported.
Red: No encryption at rest.

6. Is TLS 1.2 or higher enforced for all data in transit? ISM-1139: Encryption for data in transit.
Green: TLS 1.3 minimum, HSTS preloaded, certificate pinning.
Amber: TLS 1.2 supported but 1.3 optional.
Red: Older protocols accepted.

Section C: Access & Authentication

7. Is multi-factor authentication (MFA) enforced for all user accounts — including administrative, API, and service accounts? Essential Eight Maturity Level Two: MFA for all privileged access. The LiteLLM compromise in March 2026 was enabled by a CI/CD credential without MFA protecting millions of daily downloads.
Green: Phishing-resistant MFA enforced universally.
Amber: MFA for user accounts but not service/API accounts.
Red: MFA optional or absent.

8. Do you support SAML, OIDC, or SCIM for customer-managed identity and access? ISM-1401: Centralised identity management for external services.
Green: SAML/OIDC with SCIM provisioning supported.
Amber: SAML only, no automated provisioning.
Red: Vendor-managed credentials only.

9. Do you enforce least-privilege access with quarterly access reviews? ISM-0445: Principle of least privilege.
Green: Documented RBAC with automated quarterly reviews.
Amber: Manual annual reviews.
Red: No formal access review process.

Section D: Security Operations

10. Do you conduct independent penetration testing at least annually? ISM-1345: Vulnerability assessment and penetration testing.
Green: Annual independent pentest covering our use case.
Amber: Internal testing only, or results older than 12 months.
Red: No penetration testing program.

11. What is your contractual breach notification SLA? Notifiable Data Breaches scheme requires notification to the OAIC within 30 days. Your vendor's SLA must enable you to meet this.
Green: 24-hour notification of confirmed breach.
Amber: 72-hour notification.
Red: No defined SLA or exceeds 7 days.

12. Do you maintain a documented and tested incident response plan? ISM-0145: Cyber security incident response plan.
Green: Documented plan, tabletop-tested within 6 months.
Amber: Plan exists, not tested or tested > 12 months ago.
Red: No documented IR plan.

13. Do you have a business continuity plan with a recovery time objective (RTO) under 24 hours? ISM-1619: Business continuity and disaster recovery.
Green: Documented BCP, RTO < 4 hours, tested annually.
Amber: BCP exists, RTO 24–72 hours.
Red: No BCP or RTO.

14. What is your software patching cadence for critical vulnerabilities? Essential Eight: Patch operating systems within 48 hours, applications within 2 weeks.
Green: Critical CVEs patched within 48 hours.
Amber: Critical patches within 7 days.
Red: Best-effort, no SLA.

15. Do you maintain cyber insurance covering third-party liability and data breach response? Provides financial assurance if the vendor's breach becomes your problem.
Green: Policy with AUD 5M+ coverage, third-party liability included.
Amber: Insurance exists, coverage or jurisdiction unclear.
Red: No cyber insurance.

How to Score and Act on Results

Add up your Reds, Ambers, and Greens. Maximum score: 15 Green. Apply this decision framework:

  • 13–15 Green, 0 Red: Proceed. Strong security posture aligned with ISM expectations.
  • 10–12 Green, ≤ 2 Red: Proceed with conditions. Require a remediation plan with dates before contract signature.
  • 7–9 Green, 3–5 Red: Escalate. Involve your security advisor. Demand contractual security schedules.
  • < 7 Green or > 5 Red: Reject. The risk exceeds what an SMB can absorb.

Always verify — don't accept answers at face value. Request evidence for any Green claim: the SOC 2 report, the pentest summary, the certificate. TeamPCP exploited the fact that nobody checks.

FAQ

Q: We're a 15-person business. Won't vendors ignore our questionnaire? A: You'd be surprised. The SaaS market is saturated — vendors compete for your business. If a vendor refuses a reasonable security assessment, that is itself a Red flag response. The ACSC explicitly states that security requirements should be proportionate to risk, not organisation size.

Q: How often should we re-assess existing vendors? A: Annually at minimum, and upon any contract renewal or significant service change. A vendor that scored Green in 2025 may have been acquired, changed sub-processors, or suffered an unreported breach by 2026. Schedule re-assessment into your annual compliance calendar.

Q: Does the Essential Eight cover vendor risk? A: Indirectly, yes. Maturity Level Two requires application control, patching, and MFA across all systems — including those managed by third parties. If your outsourced IT provider cannot demonstrate Essential Eight alignment, you cannot claim it yourself.

Q: What if our CRM vendor stores data in Sydney but support is in Manila? A: This is a common scenario and typically scores Amber on question 4. The key is transparency: you must know, and you must document the residual risk in your risk register. The ISM does not blanket-ban offshore access — it requires informed acceptance.

Conclusion

Your next SaaS contract could be the one that introduces a supply chain compromise into your business. The Axios RAT, LiteLLM credential harvester, and TeamPCP worm didn't target enterprises — they targeted everyone who installed the package. Australian SMBs are not too small to be caught in the blast radius; they are, in fact, the blast radius.

Download this questionnaire, send it to every vendor on your renewal list, and make it a gate before any new contract. Security is not about never being breached — it's about knowing what you're trusting and why.

Need help assessing your current vendors or building a full third-party risk management program? Visit consult.lil.business for a free 30-minute cybersecurity assessment.

References

  1. ASD/ACSC Information Security Manual (ISM) — Guidelines for Outsourcing
  2. ASD/ACSC Essential Eight Maturity Model
  3. GitHub Advisory Database — Axios npm RAT (GHSA-xxxx, March 2026)
  4. GitGuardian — No Off Season: Three Supply Chain Campaigns Hit npm, PyPI, and Docker Hub in 48 Hours (April 2026)
  5. OAIC — Notifiable Data Breaches Scheme

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation