Assess a vendor
Vendor Cyber Security & AI Assurance Review
Independently review the cyber security and responsible AI assurance of a supplier and the service it provides — before onboarding, renewal, material change or continued reliance.
What you gain
Assurance your team can use.
Defensible findings
Conclusions linked to the criteria and evidence examined.
Clear priorities
Know what matters first and what can wait.
Less disruption
Evidence is reviewed before follow-up begins.
Decisions this supports
Framed around the decision you need to support.
Vendor Review is scoped to a real decision, not an open-ended vendor-risk programme. Typical triggers:
Decisions supported
- Onboarding approval
- Procurement
- Renewal
- Continued use
- Material supplier or model change
- Customer, board or risk committee assurance
What the review examines
The supplier and the service it provides.
The same vendor can produce different conclusions for different use cases, so scope is agreed against your intended use before evidence is requested.
Areas examined
- Vendor and service scope
- Information and access involved
- Security assurance
- AI governance, where applicable
- Model, cloud and subprocessor dependencies
- Contracts and data handling
- Certification and report scope
- Incidents, vulnerabilities and changes
- Customer responsibilities and residual dependencies
Before we start
Context we need to scope the review.
The same vendor may produce different conclusions for different use cases — this is what lets us agree the right scope up front.
Intended use
What the vendor's service is actually being used for.
Business criticality
How material the service is to your operations.
Information sensitivity
The type and sensitivity of information the vendor can access.
System access
What systems, data or environments the vendor can reach.
Deployment or region
Where and how the service is deployed or hosted.
Risk or approval decision
The specific decision this review needs to support.
Delivery
From scope to report in four steps.
The standard engagement is remote-first and uses a controlled evidence workspace.
Scope
Confirm criteria, boundaries, timetable, responsibilities and handling.
Collect
Complete the questionnaire and upload requested evidence once.
Clarify
Respond only to focused gaps, conflicts or verification requests.
Report
Receive professionally reviewed findings, limitations and priorities.
What this is
An independent review conclusion.
- An independent review of a supplier and the service it provides
- Evidence-led, scoped to your intended use and decision
- Document review, public evidence and targeted clarification
- A final report setting out findings, open questions and priorities
It is not a formal attestation opinion unless an appropriate assurance standard has been selected and applied, and it does not certify the vendor.
RELATED ASSURANCE LAYER
VENDOR AI EVIDENCE SCAN
A free, automated, point-in-time scan of what a vendor publicly evidences about its AI use. A useful starting point — not a substitute for this review.
VENDOR REVIEW
Independently examines the supplier and the actual service you rely on, scoped to your intended use and the decision you need to support.
Many reviews start from a Vendor AI Scan result, then go deeper into evidence the public scan cannot reach.
Good fit / Not a fit
Is a Vendor Review right for this decision?
Do I need to run the free scan first?
No, but it helps. The Vendor AI Scan is free and gives a quick, public-evidence-only starting point. Vendor Review goes further, using evidence the public scan cannot reach and scoping the conclusion to your actual use case.
Will the vendor know I'm reviewing them?
Not necessarily. Much of the review can be based on public evidence and material you already hold. Where direct vendor evidence is needed, we agree the approach with you first.
What if the vendor doesn't cooperate?
The review reports what could and could not be evidenced. An uncooperative vendor becomes part of the finding, not a reason the review can't proceed.
How is this different from AI Assurance Verification?
Vendor Review examines the supplier and the service it provides. AI Assurance Verification examines a specific deployed AI system, agent or use case — narrower and more technical. Some engagements use both.
What happens after the fit check?
You submit a single Request engagement form with your result. If TRUSTYCYBER accepts the engagement, you receive confirmed scope, terms, a payment link and access to the evidence workspace.
Ready to review a vendor?
Tell us about the vendor, the decision and the timing before sharing evidence.
