How should third-party risk be rated for vendors based on criticality and exposure in a cyber audit?

Assessing third-party risk in a cyber audit requires a risk rating that reflects how critical a vendor is to operations and how exposed they are to cyber threats. The best approach uses a structured model that weighs data sensitivity, the level of access the vendor has to systems or data, the potential operational impact if the vendor is compromised, and any regulatory or contractual exposure tied to their activities. It also requires documenting the residual risk after existing controls and laying out monitoring requirements and triggers for action. This approach captures both likelihood and impact, guiding controls, due diligence, and ongoing oversight. Relying on supplier location, price, or years in business does not reliably indicate cyber risk posture or necessary controls, so those factors don’t provide a sound basis for risk scoring.