Third-Party & Supply Chain Cyber Risk Maturity Assessment

Do you really know the cyber risk your suppliers bring into your organisation?

Third-party and supply chain attacks are among the fastest-growing threats in cyber security. Your vendors access your systems, hold your data, and connect to your network — and their weaknesses become yours. APRA's CPS 234 and CPS 230, the SOCI Act, and frameworks like NIST and ISO 27001 all demand that organisations actively manage third-party cyber risk. Yet most organisations struggle to move beyond ad hoc vendor assessments and incomplete contract clauses.

This maturity assessment gives you a structured, repeatable way to evaluate your entire third-party risk management program — and a clear roadmap to lift it.

What's included:

1. Assessment Tool (HTML file)

88 questions across 8 domains, covering the full vendor lifecycle:

→ Vendor Inventory & Classification — Do you know all your vendors and which ones matter most? → Due Diligence & Onboarding — Are you assessing vendor security before granting access, including AI governance and fourth-party risks? → Contractual Security Requirements — Do your contracts include enforceable security obligations, breach notification, data sovereignty, and AI usage clauses? → Access & Data Controls — Is vendor access limited, monitored, segmented, and subject to DLP controls? → Ongoing Monitoring & Review — Are you continuously assessing vendor risk, tracking threat intelligence, and reviewing SOC 2 reports? → Incident & Breach Management — Can you respond effectively when a vendor is compromised, including downstream customer impact? → Offboarding & Termination — Is access removed, data destroyed, IP retrieved, and residual risk assessed when contracts end? → Governance & Accountability — Does leadership own third-party risk with clear policies, KPIs, and a defined risk appetite?

2. User Guide & Question Reference (PDF — 30 pages) A comprehensive companion guide including:

→ How to complete the optional Vendor Profile to tailor results to your industry and vendor environment → Understanding the six-point response scale — from "Yes, consistently" to "Not Applicable" → How to use the built-in evidence attachment feature to link supporting documents to each question → Understanding control tiers — Essential, Recommended, and Advanced — and how to sequence improvements → How to interpret your maturity score, domain breakdown, control tier analysis, and vendor environment risk alerts → Full question reference — all 88 questions explained with "Why This Matters" context and "Evidence to Look For" indicators

Vendor Profile — tailored to your environment:

Before the assessment begins, an optional Vendor Profile captures your industry, vendor count, data access patterns, concentration risk, and overseas vendor exposure. This tailors your results with industry-specific regulatory frameworks (APRA, SOCI, PCI DSS) and context-aware risk alerts based on your actual vendor landscape.

Five-level maturity model:

Each question is assessed against a five-level maturity scale — Ad Hoc, Initial, Developing, Established, and Mature — giving you a nuanced picture that goes beyond simple yes/no compliance checks. Benchmark where you are today and set realistic targets for improvement.

Three control tiers for sequenced improvement:

Every question is tagged as Essential, Recommended, or Advanced — so you know what to fix first, what strengthens your program, and what drives mature-state capability. Your results show separate scores for each tier.

What you get when you complete the assessment:

✔ Overall maturity score with a clear maturity band rating

✔ Domain-by-domain maturity profile with visual dashboard

✔ Control tier analysis — separate scores for Essential, Recommended, and Advanced

✔ Vendor environment risk alerts tailored to your industry and vendor profile

✔ Prioritised gap analysis with recommended actions, risk levels, and implementation effort

✔ Phased improvement roadmap — immediate priorities through to long-term maturity building

✔ Evidence attachment — link up to 3 supporting documents per question for audit readiness

✔ Evidence Package export — bundled archive of all attached evidence with summary manifest

✔ Exportable Word report — board-ready with executive summary, domain scores, gap analysis, and regulatory landscape

✔ Exportable Excel workbook — with gap tracking, vendor risk register (ready to import into your enterprise risk framework), domain scores, full responses, and TPRM resources

✔ Save/load progress files — transfer assessments between devices or share with colleagues

Mapped to the frameworks that matter:

Built with Australian regulatory requirements front and centre — APRA CPS 234, CPS 230, SOCI Act, and Privacy Act — alongside international frameworks including NIST CSF, ISO 27001, SOC 2, and PCI DSS. Whether you're in financial services, energy, health, or government, the assessment aligns with the standards your regulators and auditors expect.

Who is this for?

• CISOs and security leaders needing to assess and report on third-party cyber risk
• Risk and compliance teams responsible for vendor risk management programs
• Procurement and legal teams wanting to strengthen vendor security requirements
• Organisations preparing for APRA, SOCI Act, or ISO 27001 audits
• Critical infrastructure entities needing to demonstrate supply chain risk management
• Any organisation wanting to move from ad hoc vendor checks to a structured, repeatable program

How it works:

Download both files — open the HTML file in any modern browser and use the PDF user guide as your reference. Enter your organisation name, complete the optional Vendor Profile, work through the eight domains, and the tool does the rest. No installation, no cloud account, no data leaves your device. Progress auto-saves and can be exported to file for backup or sharing.

Built by CyberAssure — practical cyber security tools for Australian organisations.