Vendor Tiering: How to Classify Vendors by Risk
Introduction
Vendor tiering is the single most important early decision in a TPRM program. Get it right, and you focus scarce analyst time on the vendors that actually matter. Get it wrong, and you either rubber-stamp Critical vendors or crush Medium vendors under over-the-top questionnaires.
This guide walks through a tested 2026 tiering rubric, shows how to operationalize it, and shares a simple template you can adapt today.
What vendor tiering is (and isn't)
Tiering is a classification of inherent risk — the risk a vendor would pose in the absence of any controls. It’s not the same as the risk score (which reflects residual risk after assessment) or the vendor’s criticality to the business (which is one of several inputs).
Tiering has one job: drive the depth of everything that follows — questionnaire, evidence, contract terms, monitoring cadence, renewal trigger.
The 3-factor rubric (use this)
Score each vendor on three dimensions. Use simple scales; precision matters less than consistency.
1. Data sensitivity (1–4): Public, Internal, Confidential, Regulated (PII, PHI, PCI, financial).
2. Access scope (1–4): None, Read, Write, Admin, or privileged.
3. Business criticality (1–3): Standard, Important, Critical (revenue, safety, regulatory).
Apply thresholds: any factor at the top score pulls the vendor to Critical; two factors at the top-2 positions pull the vendor to High. Default Medium otherwise; Low only for genuinely harmless vendors (a parking lot vendor with no data or access).
What each tier unlocks
1. Critical — SIG Core + CAIQ + pen test + financials. Continuous monitoring. Annual full reassessment. Exec-signed risk acceptance required. Contract must include audit rights, BCP test evidence, and concentration-risk disclosure.
2. High — SIG Lite + CAIQ. Continuous monitoring. Annual reassessment. Standard security schedule in the contract.
3. Medium — Internal 25–35 question baseline. Bi-annual reassessment. Standard DPA and security exhibit.
4. Low — 10-question attestation at onboarding and at renewal. No continuous monitoring required.
Edge cases worth calling out
1. AI model vendors — even ‘low data’ vendors can become High if your prompts leak sensitive context. Apply an AI addendum at tiering.
2. Single-source-of-truth vendors — if they’re the only provider of a capability (e.g., core banking), treat as Critical regardless of data sensitivity.
3. Fourth-party dependencies — if a Medium vendor sub-contracts a piece of your workload to a Critical-tier sub-processor, re-tier up.
4. Free-tier / trial vendors — don’t let ‘it’s free’ bypass tiering. If they touch data, they count.
Operationalizing tiering
Tiering must be systematic, not opinion-based. Put the rubric in your platform. Every intake form feeds it. Tiers recalculate automatically on any change (new dataset, new privilege, criticality upgrade). Platforms like ShieldRisk AI apply tiering dynamically with configurable weights so the rubric can evolve with your risk appetite.
Frequently Asked Questions
Can a vendor be moved down a tier after good assessment results?
How many tiers should I use?
Should procurement own tiering?
What triggers a re-tier?
Do I need to share the tier with the vendor?
Ready to modernize your vendor risk program?
Use ShieldRisk AI’s dynamic tiering engine to classify every vendor automatically at intake and re-score on change. Book a demo to see it against your portfolio.