Template: Vendor Assessment
Instructions
Assessment of security maturity of service providers and suppliers under §30(2) No. 4 BSIG. To be performed before contract signing, repeated at least annually.
Vendor Master Data
| Field | Value |
|---|---|
| Vendor ID | VEN-NIS2-XXXX |
| Name | |
| Domicile / country | |
| Main contact | [Name + email] |
| Security contact | [Name + email + phone] |
| Contract type | [ ] Hosting [ ] Cloud [ ] Software supplier [ ] Support [ ] Other |
| Criticality | [Low / Medium / High / Critical] |
| Data processed | [PII / Business data / Credentials / None] |
| GDPR DPA in place | [ ] Yes [ ] No [ ] Not required |
Certificates and Evidence
| Standard | Held | Valid until | Scope |
|---|---|---|---|
| ISO/IEC 27001 | [ ] | ||
| SOC 2 Type II | [ ] | ||
| BSI C5 | [ ] | ||
| TISAX | [ ] | ||
| Other | [ ] |
Security Checklist
| Area | Question | Status | Evidence |
|---|---|---|---|
| Governance | Does a documented ISMS exist? | [Yes/No/N.A.] | |
| Governance | Is a CISO appointed? | ||
| Incident | Is there an incident response plan? | ||
| Incident | Is incident notification (24h) contractually guaranteed? | ||
| BCM | Is a BCM plan in place? Last test? | ||
| Supply chain | Are sub-suppliers disclosed? | ||
| Vulnerabilities | Is there a documented patch management process? | ||
| Vulnerabilities | Are CVEs actively monitored? | ||
| Training | Do employees receive regular security training? | ||
| Cryptography | Is data encrypted at rest and in transit? | ||
| Access | Is MFA enforced for administrative access? | ||
| Access | Is there a documented onboarding/offboarding process? | ||
| Audit | Are audit rights contractually guaranteed? |
Risk Assessment
| Aspect | Rating |
|---|---|
| Criticality for BAUER GROUP | [Low / Medium / High / Critical] |
| Vendor security maturity | [Low / Medium / High] |
| Resulting risk | [Low / Medium / High / Critical] |
| Risk treatment | [ ] Accept [ ] Contractual conditions [ ] Reject |
Contractual Requirements
| Requirement | In contract |
|---|---|
| 24h incident notification | [ ] |
| Audit right (at least annually) | [ ] |
| Sub-supplier consent obligation | [ ] |
| Data return / deletion at contract end | [ ] |
| Minimum security standards (ISO 27001 etc.) | [ ] |
| Liability for security breaches | [ ] |
Approval
| Name | Date | |
|---|---|---|
| Assessment by | ||
| Reviewed by (CISO) | ||
| Approved by (Procurement / Management) |
Notes
- Critical vendors are reassessed semi-annually
- High vendors are reassessed annually
- Material changes (loss of certification, incident) trigger immediate reassessment