TL;DR

Australian SMBs are in the blast radius of supply chain attacks that compromised billions of downloads in 2025–2026 alone. This 15-question vendor risk assessment template, aligned to the ASD/ACSC Information Security Manual (ISM), gives you a Red/Amber/Green scoring framework you can send to any SaaS or outsourced IT vendor before you sign a contract. No cybersecurity expertise required.

Why Vendor Risk Assessment Matters Now

Between September 2025 and April 2026, supply chain attacks hit unprecedented scale. The Axios npm compromise in March 2026 pushed a remote access trojan through a library with over 100 million weekly downloads [1]. The Chalk/Debug campaign compromised 27+ packages with a combined 2.6 billion weekly downloads, using stolen maintainer credentials to inject a crypto wallet drainer [2]. The TeamPCP campaign moved across npm, PyPI, and Docker Hub simultaneously, weaponising trusted tools like Trivy and Checkmarx KICS to steal credentials from CI/CD pipelines [3].

For Australian SMBs, the lesson is blunt: your security is only as strong as your weakest vendor. The ACSC's Essential Eight and the broader ISM make clear that third-party risk management is not optional — it is a core security control [4].

The 15-Question Vendor Risk Assessment

Send this questionnaire to any vendor before contract signature. Score each answer using the Red/Amber/Green framework below.

ISM Principle: Controls 0403, 0404, and 0405 require organisations to identify and manage risks from external service providers, including assessing their security posture and ensuring contractual security obligations are defined.

Section A: Security Certification and Governance

1. Do you hold a current ISO 27001 certification?

  • GREEN: Certified, certificate available on request, scope covers the services we would use
  • AMBER: Certification in progress or covers only part of the relevant scope
  • RED: No certification and no plans to obtain one

2. Do you have a current SOC 2 Type II report?

  • GREEN: Type II report available, independently audited within the last 12 months
  • AMBER: Type I only, or Type II older than 12 months
  • RED: No SOC 2 report available

3. Can you provide a complete list of sub-processors who access our data?

  • GREEN: Full sub-processor list published and maintained, advance notice given before changes
  • AMBER: List available on request but not proactively updated
  • RED: Cannot or will not disclose sub-processors

ISM Principle: Control 0405 — organisations must understand where their data flows, including through third-party and fourth-party processors.

Section B: Data Protection and Residency

4. Where will our data be stored and processed? Can you guarantee Australian or at least APAC-region data residency?

  • GREEN: Data stored in Australia or APAC with contractual guarantee and no transfers outside region without written consent
  • AMBER: Data stored in APAC but may be replicated to other regions for redundancy
  • RED: Data may be stored or processed anywhere globally with no regional guarantee

5. What encryption do you apply to data in transit and at rest?

  • GREEN: TLS 1.2+ in transit, AES-256 (or equivalent) at rest, encryption keys managed separately from data
  • AMBER: Encryption used but specifics not documented, or older TLS versions accepted
  • RED: No clear encryption policy or unencrypted storage acknowledged

6. What is your data retention and deletion policy when a customer offboards?

  • GREEN: Documented deletion within 30 days of contract termination, certified deletion available
  • AMBER: Deletion within 90 days, but no certification offered
  • RED: No documented retention or deletion policy

ISM Principle: Controls 0401, 0402 — data must be protected at rest and in transit using approved cryptographic algorithms.

Section C: Access Control

7. Do you enforce multi-factor authentication (MFA) for all administrative and privileged access to customer environments?

  • GREEN: MFA enforced for all privileged access, phishing-resistant MFA (FIDO2/hardware keys) available
  • AMBER: MFA enforced for admin access but not all privileged roles, or SMS-based MFA accepted
  • RED: MFA not enforced or only optional

8. Do you support role-based access control (RBAC) and can we define custom permission levels?

  • GREEN: Granular RBAC with custom roles, principle of least privilege enforced by default
  • AMBER: Basic RBAC with predefined roles only
  • RED: All-or-nothing access, no role differentiation

9. Can you provide audit logs of access to our data, and can we integrate those logs into our own SIEM or monitoring?

  • GREEN: Comprehensive audit logs with API-based export, tamper-evident logging
  • AMBER: Basic audit logs available in the platform UI but no export API
  • RED: No audit logging or logs not available to customers

ISM Principle: Controls 0641, 0642 — MFA is required for all privileged access and all remote access. The Essential Eight lists MFA as a mandatory control.

Section D: Incident Response and Continuity

10. What is your breach notification SLA? Will you notify us within 72 hours of discovering a breach affecting our data?

  • GREEN: Contractual commitment to notify within 72 hours (or less), 24/7 incident response team
  • AMBER: Notification within 72 hours but not contractually guaranteed, or notification within 7 business days
  • RED: No defined breach notification SLA or refusal to commit in writing

11. What is your incident response capability? Can you describe your process and provide evidence of regular testing?

  • GREEN: Documented IR plan, dedicated team, tabletop exercises conducted at least annually, post-incident reviews shared
  • AMBER: IR plan exists but testing is irregular or not documented
  • RED: No formal incident response plan

12. Do you have a documented business continuity and disaster recovery plan? What is your Recovery Time Objective (RTO)?

  • GREEN: Documented BCP/DRP with RTO under 4 hours, tested at least annually, results available
  • AMBER: BCP/DRP exists but RTO exceeds 24 hours or testing is irregular
  • RED: No documented business continuity plan

ISM Principle: Controls 0671–0674 — organisations must have and test incident response plans, and notify affected parties promptly.

Section E: Technical Security

13. How often do you conduct penetration testing, and can you share a summary of findings?

  • GREEN: Annual penetration testing by an independent third party, executive summary available to customers
  • AMBER: Penetration testing conducted but not annually, or only internal testing
  • RED: No penetration testing or refusal to discuss

14. Do you run a vulnerability management program with defined patching SLAs for critical, high, and medium vulnerabilities?

  • GREEN: Documented patching SLAs (critical: 48 hours, high: 2 weeks, medium: 30 days), evidence of compliance
  • AMBER: Patching occurs but no defined SLAs or SLAs exceed industry norms
  • RED: No formal vulnerability management program

15. How do you protect against supply chain compromise in your own dependencies and build pipeline?

  • GREEN: Dependency scanning, pinned versions, signed builds, SBOM available, CI/CD pipeline hardened
  • AMBER: Some dependency scanning but no signed builds or SBOM
  • RED: No supply chain security measures or awareness of the risk

ISM Principle: Controls 0406, 0407 — software and services must be assessed for supply chain risks, and integrity verification mechanisms must be in place.

How to Score and Decide

Add up the results. For a vendor you are trusting with sensitive data:

  • All GREEN or mostly GREEN with 1–2 AMBER: Proceed with standard contractual protections
  • 3+ AMBER or any RED in Section B (data protection) or Section D (incident response): Require a remediation plan before signing
  • 2+ RED in any section: Do not proceed. Find an alternative vendor

Document every assessment. The ACSC expects evidence of due diligence, not just good intentions.

FAQ

Is this checklist enough on its own, or do we need a formal third-party risk policy?

This checklist is a starting point. For organisations subject to the Privacy Act 1988 or handling sensitive data, a formal third-party risk management policy aligned to the ISM is recommended. Use this checklist as the screening tool; build the policy around it.

What if a vendor refuses to answer some questions?

A refusal to answer is a RED by default. Vendors handling Australian data should be transparent about their security posture. If a vendor cannot answer basic questions about encryption, MFA, or breach notification, that tells you everything you need to know.

Do we need to reassess existing vendors?

Yes. Vendor risk is not a one-time exercise. Reassess critical vendors annually and whenever there is a material change — a merger, a data centre migration, a public breach, or a significant change in the services they provide to you.

How does this align with the ACSC Essential Eight?

Questions 5 (encryption), 7 (MFA), 8 (RBAC), and 14 (patching) directly map to Essential Eight controls. The broader checklist aligns to the ISM's supply chain and outsourcing sections. Both frameworks expect organisations to extend their security requirements to third parties.

Conclusion

Supply chain attacks in 2025–2026 proved that trusting a vendor without verification is a security decision in itself. The Axios compromise, the Chalk/Debug drainer, and the TeamPCP campaign all exploited the same gap: organisations that assumed their vendors were secure without checking. Australian SMBs cannot afford that assumption.

Send these 15 questions before you sign. Score honestly. Walk away from vendors that will not or cannot answer. Your customers, your reputation, and your compliance obligations depend on it.

Visit consult.lil.business for a free cybersecurity assessment and hands-on help building a vendor risk management program tailored to your business.

References

  1. Software Supply Chain Attacks 2025–2026: Axios, Shai-Hulud, Chalk/Debug, TeamPCP — Cyber Army Security Research
  2. No Off Season: Three Supply Chain Campaigns Hit npm, PyPI, and Docker Hub in 48 Hours — GitGuardian Blog
  3. The npm Threat Landscape: Attack Surface and Mitigations — Palo Alto Unit 42
  4. ASD/ACSC Information Security Manual (ISM) — Australian Signals Directorate

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation