Skip to content
Kellwick
← All articles
Supplier Risk

Supplier reviews: the ISO 27001 control SaaS teams forget

SaaS runs on dozens of subprocessors, yet third-party risk reviews are routinely skipped. Your suppliers are your customers' risk too.

By Kellwick Team · April 29, 2026 · 3 min read

A modern SaaS product runs on other people's software. Payment processors, cloud infrastructure, analytics, email delivery, support tooling, AI APIs - dozens of subprocessors, each holding or touching data. Supplier risk is one of the most commonly skipped ISO 27001 controls, usually because no one owns it and the list grew faster than anyone tracked. Your suppliers are not just your risk. They are your customers' risk, passed through you.

Why the control gets skipped

Supplier review is easy to defer because nothing breaks when you skip it. The tools work, the product ships, and the risk stays invisible until a subprocessor has an incident or a customer's security team asks for your vendor list.

The usual reasons:

  • No single owner, so new tools get adopted without any review step.
  • Procurement is decentralised - any engineer can sign up for a service with a company card.
  • The subprocessor list is out of date or was never maintained.
  • Reviews, when they happen, are treated as one-off onboarding checks and never repeated.

The result is a supply chain no one has fully mapped, which is difficult to defend in an audit and worse to explain after an incident.

Start with an honest inventory

You cannot review suppliers you have not listed. Before any assessment process, build a current inventory of who has access to what.

  • List every third party that processes, stores or can access customer or company data.
  • Record what data each one touches and how sensitive it is.
  • Note whether they are a subprocessor you must disclose to customers under your contracts.
  • Flag the ones critical to running the product - the ones an outage would take you down with.

This inventory is also what your customers increasingly ask for directly. Having it current is half the work.

Make the review proportionate

Not every supplier needs the same scrutiny. A tool with no access to customer data does not warrant the depth you apply to your cloud provider or payment processor. Tier the effort by risk.

  • High risk - holds customer data or is critical to operations. Review certifications (ISO 27001, SOC 2), data handling, breach notification terms and subprocessor chains. Reassess at least annually.
  • Medium risk - limited data access. A lighter review of security posture and contractual terms, refreshed periodically.
  • Low risk - no sensitive data. Basic due diligence recorded at onboarding.

The point is a defensible, written basis for how much scrutiny each supplier gets, not a uniform questionnaire sent to everyone.

Keep it current and evidenced

A supplier review is not a one-time gate. Vendors change what they do with data, add their own subprocessors, and occasionally have incidents.

  • Set a reassessment cadence tied to each tier.
  • Re-check certifications before they lapse rather than trusting a report from two years ago.
  • Have a route for adding new suppliers that includes a review step, so the inventory stays current.
  • Record each review - what was checked, when and by whom - so you can show a process, not just an intention.

Done this way, supplier risk becomes evidence you can hand to a customer or auditor, rather than a gap you hope no one probes.

Bottom line

Supplier risk is the control that stays quiet until it is loud. A current inventory, proportionate tiering and a repeatable, evidenced review turn an invisible exposure into something you can defend to both auditors and customers. If you are not sure your subprocessor list is complete or your reviews would hold up, a readiness review can map your supply chain and show where the gaps sit.

Need a second pair of eyes before the auditor does?

A readiness review shows exactly where your ISMS stands - and what to fix first - while there is still time to act on it.