IRONGATE RISK PARTNERS - BUSINESS -
More Tools
Free Tool

Third-Party Risk Management Assessment Tool

Structured vendor security assessment across 8 domains with 42 questions mapped to NIST CSF 2.0, SOC 2, and ISO 27001. Real-time risk scoring, evidence tracking, and exportable results. No signup, no install, no data leaves your browser.

This is a free, browser-based vendor assessment. Looking for full TPRM program management? Our Premium Toolkits include vendor inventory dashboards, framework toggle filtering, tiered questionnaires, and executive reporting.

Launch Tool View All Resources

What's Included

Everything You Need

8 Assessment Domains

42 questions covering governance, data protection, access control, technical security, incident response, business continuity, compliance, and contractual protections.

Real-Time Scoring

Four-tier maturity scoring with automatic domain averages, overall risk rating, and findings counter updated as you assess.

Framework Mappings

Every question mapped to NIST CSF 2.0 subcategories, SOC 2 Trust Services Criteria, and ISO 27001:2022 Annex A controls.

Built-In Guidance

Toggle evaluation criteria for each question, showing what evidence to request and how to assess vendor responses.

Save & Export

Save progress as JSON to continue later. Export full results with scoring summary to CSV for stakeholder reporting.

Works Offline

Runs entirely in your browser. No server connection, no data collection. Your vendor assessment stays on your device.

Coverage

Assessment Domains

Each domain contains targeted questions with evaluation guidance and framework mappings, organized into logical categories for efficient assessment.

GOV Governance & Organization
DATA Data Protection & Privacy
IAM Access Control & Identity
TECH Technical Security
IR Incident Response
BCP Business Continuity
AUD Compliance & Audit
SLA Contractual & Service Agreements

Methodology

Maturity Scoring Model

Each question is scored on a four-tier maturity scale. Scores roll up to domain averages and an overall vendor risk rating.

ScoreLevelDescription
1Not ImplementedControl does not exist or is not operational in the vendor environment
2Partially ImplementedControl exists but is incomplete, inconsistent, or not fully deployed
3Largely ImplementedControl is implemented with minor gaps or areas for improvement
4Fully ImplementedControl is fully operational, documented, monitored, and regularly reviewed

Vendor risk rating is calculated from the overall average: 75%+ = Low, 50-74% = Moderate, 25-49% = High, below 25% = Critical.

Getting Started

How to Use This Tool

  1. Enter vendor information

    Fill in vendor name, assessor, criticality tier, and data access level in the sidebar.

  2. Select a domain

    Use the sidebar navigation or dashboard cards to pick an assessment domain.

  3. Score each question

    Rate the vendor's maturity (1-4) for each of the 42 questions. Toggle guidance for evaluation criteria.

  4. Document evidence

    Add notes and evidence references in the text field beside each question.

  5. Review the summary

    Click Summary to see the overall risk rating, domain scores, and category breakdown.

  6. Save and export

    Save as JSON to continue later, or export to CSV for stakeholder reporting.

Free Assessment Tools

More from IRONGATE

NIST CSF 2.0 Assessment Tool CMMC Level 2 Gap Analysis SOC 2 Readiness Checklist FedRAMP Low Baseline Assessment Risk Register Risk Management Risk Treatment Remediation Tracking Crosswalk Framework Mapping Policy Package 5 Policies + Tracker