Vendor Risk Management for SMBs: The 20-Question Baseline
Jeff Sowell · 2026-04-21 · Risk Management
A practical vendor risk management baseline for SMBs — 20 questions across 5 categories that surface real risk without the enterprise-TPRM apparatus. The minimum viable program that still satisfies auditors and insurers.
Why SMB vendor risk management is its own problem
If you work in security for a 50-to-500-person company, you've probably been handed a vendor risk questionnaire template that looks like it was built for a Fortune 100 bank: 300 questions, an inherent-vs-residual-risk scoring matrix, a "vendor governance committee" that meets monthly. You've filled it out twice, abandoned it, and gone back to running vendor due diligence out of a Google Doc.
The problem isn't that vendor risk management doesn't matter at your size — it does, and breach trends make clear that third-party compromise is how most small companies get hit. The problem is that the frameworks available were designed for organizations with a dedicated third-party risk management (TPRM) team. When you have one person covering all of security, the 300-question CAIQ-lite is the wrong tool for the wrong scale.
This is a baseline that works at SMB scale: 20 questions across 5 categories. Short enough that a practitioner can actually run it, sharp enough that it surfaces the risk that matters, defensible enough that auditors, cyber insurance carriers, and customers accept it as a real program.
The five categories that actually matter
Most enterprise TPRM questionnaires bury the signal in volume. Strip the noise and every vendor risk question belongs in one of five buckets.
1. Identity and access. Whose identity system touches yours? How do they protect it? If a vendor's employee gets phished and logs into your environment, you're compromised.
2. Data protection. How does the vendor handle your data at rest, in transit, and at end-of-life? Who do they share it with (subprocessors)? Where does it live geographically?
3. Security program maturity. Do they have one? How do you know? Third-party validation (SOC 2, ISO 27001) is the faster path than trying to audit them yourself.
4. Incident response. When something goes wrong, how fast do they tell you? How do they handle it? Have they had incidents you'd want to know about?
5. Business and legal controls. The "kill switch" category — contract terms that let you exit cleanly, audit their controls, and have someone underwrite the residual risk.
Four questions per category. Twenty questions total. That's the program.
The 20 questions
Identity & access (questions 1-4)
Q1. Is all access to our data behind SSO + MFA? Applies to employees AND service accounts that authenticate to your tenant. The answer should be "yes, with enforcement," not "yes, most users." If they rely on password-only access anywhere, that's a material gap.
Q2. How do they handle privileged access? Is there a PAM solution? How are admin credentials rotated? Are privileged sessions logged? "Shared in a password manager" is a red flag.
Q3. How frequently do they conduct access reviews, and what was the last one's outcome? Quarterly minimum, with evidence. Ask for the last review's revocation count — vendors who actually do access reviews can produce the number; vendors w