Assess a vendor

Vendor Cyber Security & AI Assurance Review

Independently review the cyber security and responsible AI assurance of a supplier and the service it provides — before onboarding, renewal, material change or continued reliance.

ISO/IEC 27001 Lead Auditor
ISO/IEC 42001 Lead Auditor
JASANZ Technical Expert & Assessor
ASD IRAP Assessor

What you gain

Assurance your team can use.

Defensible findings

Conclusions linked to the criteria and evidence examined.

Clear priorities

Know what matters first and what can wait.

Less disruption

Evidence is reviewed before follow-up begins.

Decisions this supports

Framed around the decision you need to support.

Vendor Review is scoped to a real decision, not an open-ended vendor-risk programme. Typical triggers:

Decisions supported

  • Onboarding approval
  • Procurement
  • Renewal
  • Continued use
  • Material supplier or model change
  • Customer, board or risk committee assurance

What the review examines

The supplier and the service it provides.

The same vendor can produce different conclusions for different use cases, so scope is agreed against your intended use before evidence is requested.

Areas examined

  • Vendor and service scope
  • Information and access involved
  • Security assurance
  • AI governance, where applicable
  • Model, cloud and subprocessor dependencies
  • Contracts and data handling
  • Certification and report scope
  • Incidents, vulnerabilities and changes
  • Customer responsibilities and residual dependencies

Before we start

Context we need to scope the review.

The same vendor may produce different conclusions for different use cases — this is what lets us agree the right scope up front.

Intended use

What the vendor's service is actually being used for.

Business criticality

How material the service is to your operations.

Information sensitivity

The type and sensitivity of information the vendor can access.

System access

What systems, data or environments the vendor can reach.

Deployment or region

Where and how the service is deployed or hosted.

Risk or approval decision

The specific decision this review needs to support.

Delivery

From scope to report in four steps.

The standard engagement is remote-first and uses a controlled evidence workspace.

Scope

Confirm criteria, boundaries, timetable, responsibilities and handling.

Collect

Complete the questionnaire and upload requested evidence once.

Clarify

Respond only to focused gaps, conflicts or verification requests.

Report

Receive professionally reviewed findings, limitations and priorities.

What this is

An independent review conclusion.

  • An independent review of a supplier and the service it provides
  • Evidence-led, scoped to your intended use and decision
  • Document review, public evidence and targeted clarification
  • A final report setting out findings, open questions and priorities
What it is not

It is not a formal attestation opinion unless an appropriate assurance standard has been selected and applied, and it does not certify the vendor.

RELATED ASSURANCE LAYER

VENDOR AI EVIDENCE SCAN

A free, automated, point-in-time scan of what a vendor publicly evidences about its AI use. A useful starting point — not a substitute for this review.

VENDOR REVIEW

Independently examines the supplier and the actual service you rely on, scoped to your intended use and the decision you need to support.

Many reviews start from a Vendor AI Scan result, then go deeper into evidence the public scan cannot reach.

Good fit / Not a fit

Is a Vendor Review right for this decision?

Good fit
Decision
A real onboarding, renewal, change or reliance decision
What you want
An independent review, not implementation
Evidence
Vendor evidence is mostly digital and can be shared
Delivery
A remote-first review suits the engagement
Not a fit
Decision
General curiosity with no decision attached
What you want
Help negotiating or remediating the vendor relationship
Evidence
Evidence can only be sighted on the vendor's premises
Delivery
Special evidence handling must be agreed before starting

FAQ

Vendor Review questions.

Common questions before you start the fit check.

Do I need to run the free scan first?

No, but it helps. The Vendor AI Scan is free and gives a quick, public-evidence-only starting point. Vendor Review goes further, using evidence the public scan cannot reach and scoping the conclusion to your actual use case.

Will the vendor know I'm reviewing them?

Not necessarily. Much of the review can be based on public evidence and material you already hold. Where direct vendor evidence is needed, we agree the approach with you first.

What if the vendor doesn't cooperate?

The review reports what could and could not be evidenced. An uncooperative vendor becomes part of the finding, not a reason the review can't proceed.

How is this different from AI Assurance Verification?

Vendor Review examines the supplier and the service it provides. AI Assurance Verification examines a specific deployed AI system, agent or use case — narrower and more technical. Some engagements use both.

What happens after the fit check?

You submit a single Request engagement form with your result. If TRUSTYCYBER accepts the engagement, you receive confirmed scope, terms, a payment link and access to the evidence workspace.

Ready to review a vendor?

Tell us about the vendor, the decision and the timing before sharing evidence.

Check your fit →