Your payroll provider has access to every employee’s bank details. Your cloud hosting provider holds the keys to your production database. Your managed IT vendor can remote into every workstation in your company.
None of them are in your risk register. None of them have a named owner inside your organisation. And the last time anyone reviewed their security posture was when someone read the marketing page during procurement.
This is not a compliance gap. It is an operations gap. And it is one that most growing companies discover on the worst possible day: during an audit, after an incident, or when a critical vendor goes dark and nobody knows what they had access to.
Suppliers are part of your security landscape now
Ten years ago, your suppliers sent you invoices and maybe a product. Today, your suppliers are inside the perimeter.
Your SaaS vendors process your customer data. Your DevOps contractor has SSH access to production. Your accounting platform holds every financial record you have. Your project management tool stores internal strategy documents that half the company has forgotten are even there.
Third-party risk — the security exposure created by organisations that provide you services or process your data — is no longer a line item in an enterprise risk framework. It is an operational reality for any company that uses more than a handful of cloud tools. Which, in 2026, means every company.
The question is not whether your suppliers introduce risk. They do. The question is whether you can see it, track it, and act on it before something forces you to.
Why this breaks in growing companies
Enterprise teams have dedicated vendor risk management programs, GRC platforms, and procurement workflows that catch third-party exposure before contracts are signed. That is a luxury most growing companies do not have.
Here is what usually happens instead.
No supplier register exists. Someone knows which vendors the company uses, but that knowledge lives in memory, email threads, and accounting records. There is no single place where a CTO or IT lead can see every supplier, what they have access to, and when the relationship was last reviewed.
Nobody owns the relationship from a security perspective. The person who signed the contract is usually not the person responsible for monitoring the vendor’s security posture. Often, no one is. The vendor was selected for features and price. Security was assumed.
Assessments happen once — during procurement — and never again. A vendor might have had a SOC 2 Type II report when you onboarded them two years ago. Is it still valid? Has their scope changed? Did they have an incident since then? Nobody checked, because there is no cadence and no trigger to check.
Criticality is invisible. Not all suppliers carry the same risk. A vendor that processes PII and has privileged network access is fundamentally different from a vendor that provides office supplies. But without a structured register, both are treated the same way: they are not treated at all.
This is not negligence. It is the natural consequence of a growing company that has not yet built the operational muscle for third-party governance. The problem is that auditors, frameworks, and attackers do not grade on a curve.
The four risk dimensions every supplier introduces
Think of your supplier landscape as four overlapping concerns. Miss any one of them, and you have a blind spot.
Access risk. Does this supplier have access to your systems, networks, or data? At what privilege level? Third-party access that nobody actively monitors is exactly the kind of entry point that sophisticated and unsophisticated attackers exploit.
Data exposure risk. What data does this supplier process, store, or transmit on your behalf? PII, financial records, health data, intellectual property — each category carries different regulatory obligations and different consequences if the vendor is compromised.
Dependency and continuity risk. What happens if this supplier disappears tomorrow? If you have a single-source dependency on a critical vendor with no replacement plan, that is not just a security risk. It is a business continuity risk. And unlike most security risks, this one is visible to the board.
Assurance and compliance risk. Can you demonstrate to an auditor that you are actively managing this vendor relationship? ISO 27001 controls A.5.19 through A.5.22 specifically require evidence of supplier security assessment, supplier agreements, and ongoing monitoring. SOC 2 CC9.2 requires vendor risk management. If your evidence is “we looked at their website once,” that is a finding.
Why spreadsheets collapse
The first instinct is always a spreadsheet. List the vendors, add some columns, assign some owners. It works for about three months.
Then someone leaves, and their vendor ownership assignments disappear with them. A new vendor gets added to the company but not the spreadsheet. A SOC 2 attestation expires and nobody notices because the spreadsheet does not send reminders. An auditor asks for the review history and you realise there is no history — just a static row.
Spreadsheets fail at supplier management for the same reason they fail at risk management: they are not operational tools. They do not enforce review cadence. They do not track ownership changes. They do not distinguish between a low-risk stationery supplier and a critical cloud infrastructure provider that holds your crown jewels.
A spreadsheet is a snapshot. Supplier risk is a moving picture.
What “good” looks like operationally
You do not need an enterprise vendor risk management platform. You need a structured register that does five things reliably.
1. Every supplier has an owner. Not a team. A person. Someone whose name is on the record, who is accountable for knowing whether the vendor’s security posture is current, and who will be asked when the auditor arrives.
2. Criticality and dependency type are explicit. A critical supplier with single-source dependency and privileged access is fundamentally different from a medium-risk vendor that provides a replaceable commodity service. Your register should make that difference visible at a glance, not buried in a notes column.
3. Data exposure is classified. Does this vendor handle PII? Financial data? Health records? That classification drives your obligations, your audit evidence requirements, and your response plan if the vendor has an incident.
4. Review cadence is enforced, not hoped for. A review date that exists only as a cell value in a spreadsheet is a wish. A review date that creates an overdue flag, surfaces in a dashboard, and shows up in a filtered view — that is a cadence. The difference matters when you have 30 suppliers and a three-person team.
5. Evidence is captured continuously. Every review, every updated attestation, every ownership change becomes part of the audit trail. When the auditor asks “show me your supplier management process,” you open the register. You do not scramble to reconstruct it from memory and email.
This is not theoretical. It is the practical baseline that ISO 27001 expects and that SOC 2 auditors will probe. The companies that have it spend ten minutes preparing for that audit question. The companies that do not spend ten hours.
A quick operational checklist
If you want to assess your current supplier posture in under thirty minutes, answer these questions:
- Can you list every supplier that has access to your systems or data right now?
- Does each supplier have a named security owner inside your organisation?
- Do you know which suppliers handle PII, financial data, or other sensitive information?
- When was the last time you reviewed the security posture of your top five suppliers?
- Can you show an auditor evidence of that review?
- Which supplier attestations or certifications have expired since you last checked?
- If your most critical vendor went offline today, do you have a documented continuity plan?
If more than two of those questions make you uncomfortable, you have a supplier visibility gap. The good news is that it is fixable. The bad news is that it does not fix itself.
The leadership question
Every security operations concern eventually becomes a leadership question. For suppliers, it is this:
Which critical suppliers are overdue for review right now?
If your CTO, IT lead, or vCISO cannot answer that question in under sixty seconds, supplier risk is not being managed. It is being ignored with good intentions.
The fix is not more process documents. It is a structured register with ownership, criticality, review cadence, and evidence — the same operational discipline you would apply to any other part of your security program.
AutoCISO now includes a Supplier Register built for exactly this. Track suppliers with named owners, criticality ratings, dependency types, data exposure classifications, certification status, and enforced review cadence — all mapped to ISO 27001 A.5.19 and SOC 2 CC9.2 requirements. No enterprise procurement workflow required.
See how the Supplier Register works →
FAQ
What is a supplier register in ISO 27001?
A supplier register is a structured record of all third-party organisations that provide services, process data, or have access to your systems. ISO 27001:2022 control A.5.19 requires organisations to maintain this register and establish information security requirements for supplier relationships.
Do I need a supplier register for SOC 2?
Yes. SOC 2 Trust Services Criteria CC9.2 requires organisations to assess and manage risks associated with vendors and business partners. A supplier register is the foundational evidence that this process exists.
What is the difference between a supplier and a vendor?
In compliance contexts, the terms are often used interchangeably. A supplier is any third-party organisation that provides products or services to your business. A vendor typically refers to a product or software provider specifically. AutoCISO uses “supplier” as the broader governance term that covers SaaS vendors, managed service providers, consultants, and infrastructure providers.
How often should I review supplier security?
Review cadence depends on criticality. Critical suppliers — those with privileged access, PII processing, or single-source dependency — should be reviewed quarterly or semi-annually. Medium-risk suppliers can be reviewed annually. The key is that a cadence exists, is enforced, and produces evidence.
What is a ghost supplier?
A ghost supplier is a vendor relationship that remains active — with access, data flow, or financial commitment — after the business need has ended or the security posture has changed. Ghost suppliers are the third-party equivalent of ghost accounts: they persist because nobody is watching.