Supplier Risk Scorecard
Score 50 suppliers against NIS2 Art.21(d), LkSG and GDPR in one questionnaire. Risk tier per supplier.
🔗 62% OF BREACHES INVOLVE THIRD PARTIES — SCORE YOUR SUPPLIERS BEFORE THEY SCORE YOU
NIS2 Article 21(d), DORA Chapter V, ISO 27001 Control 5.21, and the UK CS&R Bill all require documented supply chain security management. Most organisations send ad hoc questionnaires. A structured scorecard creates a repeatable, comparable assessment that satisfies all frameworks simultaneously — and takes 15 minutes per supplier instead of 3 hours.
Supplier Risk Scorecard — Assess, Score, Track, Evidence
Send a standardised security scorecard to any supplier. Receive a structured risk score. Track all suppliers in a centralised register. Export evidence for NIS2, DORA, ISO 27001, and insurance audits. Repeat annually with automated reminders. Supply chain security does not need to be complex — it needs to be consistent.
- Standardised Questionnaire: 30-question risk assessment covering governance, technical controls, incident response, and compliance — completable in 15 minutes
- Automated Risk Scoring: Each supplier scored High/Medium/Low with composite numerical score — comparable across all suppliers
- Supplier Register: All suppliers tracked with assessment dates, scores, tier classification, and contract details
- Tiered Assessment: Critical/Important/Standard suppliers — proportionate assessment depth based on risk tier
- Gap Notification: Automatically notify suppliers of specific gaps with improvement expectations
- Annual Reassessment: Automated reminders for annual re-scoring — track supplier improvement or degradation
- Multi-Framework Evidence: Exported as NIS2 Art. 21(d), DORA Chapter V, or ISO 27001 Control 5.21 evidence
- Contract Clause Library: Security clauses to add to supplier contracts based on their risk tier
💷 THE MATHS
£99/month. Supply chain breach: 62% of all breaches. Average supply chain-related breach cost: £4.5M+. Manual supplier assessment time: 3–5 hours per supplier at £30–60/hour. NIS2 supply chain non-compliance: up to €10M. This scorecard makes supply chain security systematic instead of ad hoc.
📋 ISO 27001:2022 TRANSITION
ISO 27001:2013 certifications expired 31 October 2025. All organisations must now operate under ISO 27001:2022, which adds 11 new controls including threat intelligence, cloud security, data masking, and secure development. This product's controls are mapped to the 2022 standard.
📅 NIS2 — FIRST UK AUDIT CYCLE: 30 JUNE 2026
Supplier risk evidence is a core requirement for the 30 June 2026 first NIS2 audit cycle (Article 21(d) supply-chain controls). Use this scorecard to feed both NIS2 audit packs and UK Cyber Security and Resilience (CS&R) Bill supplier-due-diligence reports — same data, two compliance regimes.
📦 Delivery & deliverables
- Turnaround: assessment delivery within 36 business hours after intake completion. Multi-jurisdiction packages: up to 5 business days.
- Sample output: a redacted sample deliverable (report + appendices) is available on request — email [email protected] with the product name.
- Revision & satisfaction: one round of revisions included; if the deliverable does not meet the agreed brief, full money-back refund within the 14-day window.
NIS2 Annex I Coverage (Supplier-Centric)
Direct coverage of NIS2 Article 21(d) supply chain security with extensions to adjacent Annex I measures evaluated at the supplier level:
- (a) Supplier risk policy — Vendor risk policy template covering NIS2-required dimensions, annual policy review cadence
- (c) Supplier business continuity — Critical-supplier continuity assessment, alternative supplier register, supplier RTO/RPO declarations
- (g) Supplier cyber hygiene + training requirements — Supplier contract clauses requiring documented security awareness training programme + completion evidence
- (h) Supplier encryption requirements — Supplier contract clauses requiring TLS 1.3 minimum + AES-256 at-rest + key management evidence
- (i) Supplier access control — Supplier access management protocol (just-in-time access, RBAC for vendor accounts, regular access reviews)
- (j) Supplier MFA + emergency comms — MFA enforcement clauses for supplier portal access, out-of-band emergency contact register per supplier
Article 23 supplier-incident reporting: 24-hour early warning template pre-filled for supplier-originated incidents (your obligation if supplier breach impacts your service) + 72-hour formal notification template with supplier root-cause attribution. Single intake supports notification to national CSIRT (NIS2), data protection authority (where personal data involved), and downstream customers (contractual).
£199.00
One-time payment · No VAT (not registered)
Trust & Delivery
ICO registered ZC112810
UK Information Commissioner's Office data controller registration.
Companies House 16419201
SummitBridge Horizon Ltd — registered 30 April 2025, London.
14-day satisfaction guarantee
See refund policy for full terms.
Sample materials available
Compare with the market
6 direct and adjacent competitors tracked.
| Vendor | Their price | Threat | vs SBH | Their advantages | Our advantages |
|---|---|---|---|---|---|
| IntegrityNext DE | — | HIGH | pricier | — | — |
| osapiens DE | — | HIGH | pricier | — | — |
| OneTrust US | $25,000+ /yr | MEDIUM | pricier | — | — |
| UpGuard AU | $5,999+ /yr | MEDIUM | — | — | — |
| BitSight US | — | MEDIUM | pricier | — | — |
| SecurityScorecard US | — | MEDIUM | pricier | — | — |
Compliance Snapshot
Regulatory posture for this product — for procurement and security teams.
Conformity scaffold in place — formal record not yet published