Skip to main content
Back to Shop
Supplier Risk Scorecard preview
NIS2 COMPLIANCE

Supplier Risk Scorecard

Score 50 suppliers against NIS2 Art.21(d), LkSG and GDPR in one questionnaire. Risk tier per supplier.

supplier-riskNIS2LkSGGDPRsupply-chainISO-27001-2022

🔗 62% OF BREACHES INVOLVE THIRD PARTIES — SCORE YOUR SUPPLIERS BEFORE THEY SCORE YOU

NIS2 Article 21(d), DORA Chapter V, ISO 27001 Control 5.21, and the UK CS&R Bill all require documented supply chain security management. Most organisations send ad hoc questionnaires. A structured scorecard creates a repeatable, comparable assessment that satisfies all frameworks simultaneously — and takes 15 minutes per supplier instead of 3 hours.

Supplier Risk Scorecard — Assess, Score, Track, Evidence

Send a standardised security scorecard to any supplier. Receive a structured risk score. Track all suppliers in a centralised register. Export evidence for NIS2, DORA, ISO 27001, and insurance audits. Repeat annually with automated reminders. Supply chain security does not need to be complex — it needs to be consistent.

  • Standardised Questionnaire: 30-question risk assessment covering governance, technical controls, incident response, and compliance — completable in 15 minutes
  • Automated Risk Scoring: Each supplier scored High/Medium/Low with composite numerical score — comparable across all suppliers
  • Supplier Register: All suppliers tracked with assessment dates, scores, tier classification, and contract details
  • Tiered Assessment: Critical/Important/Standard suppliers — proportionate assessment depth based on risk tier
  • Gap Notification: Automatically notify suppliers of specific gaps with improvement expectations
  • Annual Reassessment: Automated reminders for annual re-scoring — track supplier improvement or degradation
  • Multi-Framework Evidence: Exported as NIS2 Art. 21(d), DORA Chapter V, or ISO 27001 Control 5.21 evidence
  • Contract Clause Library: Security clauses to add to supplier contracts based on their risk tier

💷 THE MATHS

£99/month. Supply chain breach: 62% of all breaches. Average supply chain-related breach cost: £4.5M+. Manual supplier assessment time: 3–5 hours per supplier at £30–60/hour. NIS2 supply chain non-compliance: up to €10M. This scorecard makes supply chain security systematic instead of ad hoc.

📋 ISO 27001:2022 TRANSITION

ISO 27001:2013 certifications expired 31 October 2025. All organisations must now operate under ISO 27001:2022, which adds 11 new controls including threat intelligence, cloud security, data masking, and secure development. This product's controls are mapped to the 2022 standard.

📅 NIS2 — FIRST UK AUDIT CYCLE: 30 JUNE 2026

Supplier risk evidence is a core requirement for the 30 June 2026 first NIS2 audit cycle (Article 21(d) supply-chain controls). Use this scorecard to feed both NIS2 audit packs and UK Cyber Security and Resilience (CS&R) Bill supplier-due-diligence reports — same data, two compliance regimes.

📦 Delivery & deliverables

  • Turnaround: assessment delivery within 36 business hours after intake completion. Multi-jurisdiction packages: up to 5 business days.
  • Sample output: a redacted sample deliverable (report + appendices) is available on request — email [email protected] with the product name.
  • Revision & satisfaction: one round of revisions included; if the deliverable does not meet the agreed brief, full money-back refund within the 14-day window.

NIS2 Annex I Coverage (Supplier-Centric)

Direct coverage of NIS2 Article 21(d) supply chain security with extensions to adjacent Annex I measures evaluated at the supplier level:

  • (a) Supplier risk policy — Vendor risk policy template covering NIS2-required dimensions, annual policy review cadence
  • (c) Supplier business continuity — Critical-supplier continuity assessment, alternative supplier register, supplier RTO/RPO declarations
  • (g) Supplier cyber hygiene + training requirements — Supplier contract clauses requiring documented security awareness training programme + completion evidence
  • (h) Supplier encryption requirements — Supplier contract clauses requiring TLS 1.3 minimum + AES-256 at-rest + key management evidence
  • (i) Supplier access control — Supplier access management protocol (just-in-time access, RBAC for vendor accounts, regular access reviews)
  • (j) Supplier MFA + emergency comms — MFA enforcement clauses for supplier portal access, out-of-band emergency contact register per supplier

Article 23 supplier-incident reporting: 24-hour early warning template pre-filled for supplier-originated incidents (your obligation if supplier breach impacts your service) + 72-hour formal notification template with supplier root-cause attribution. Single intake supports notification to national CSIRT (NIS2), data protection authority (where personal data involved), and downstream customers (contractual).

£199.00

One-time payment · No VAT (not registered)

Delivery: Instant on payment
Refund: 14-day satisfaction guarantee
Instant download after payment
UK GDPR compliant
Secure checkout via Stripe
Not VAT registered — no VAT charged

Trust & Delivery

ICO registered ZC112810

UK Information Commissioner's Office data controller registration.

Companies House 16419201

SummitBridge Horizon Ltd — registered 30 April 2025, London.

14-day satisfaction guarantee

See refund policy for full terms.

Sample materials available

Request a sample

Compare with the market

6 direct and adjacent competitors tracked.

VendorTheir priceThreatvs SBHTheir advantagesOur advantages
IntegrityNext

DE

HIGHpricier
osapiens

DE

HIGHpricier
OneTrust

US

$25,000+ /yrMEDIUMpricier
UpGuard

AU

$5,999+ /yrMEDIUM
BitSight

US

MEDIUMpricier
SecurityScorecard

US

MEDIUMpricier

Compliance Snapshot

Regulatory posture for this product — for procurement and security teams.

General-purpose (limited- or minimal-risk)

Conformity scaffold in place — formal record not yet published