Overview of the Tool

When working with suppliers and other third parties, it’s essential to understand the security controls they have in place. These partners can introduce significant risk if their cyber posture is weak - and in large organisations, there’s usually a patchwork of onboarding, procurement, risk, and IT processes trying to keep it all in check.

One key step in onboarding a third party is performing supplier due diligence. That often includes an information security assessment to get a sense of how well the supplier is managing threats, vulnerabilities, and data protection, and your goal is really to establish that they’re doing things as well as you are. In some cases you may even learn some good practice from them.

Supplier Cyber Scoping Tool

Supplier Cyber Scoping Tool























50%





















🔒 Your Privacy is Protected. This tool runs entirely in your browser. None of the information you enter is sent to our servers or stored remotely. All data processing is performed locally on your device, ensuring that your inputs remain private and secure.
We do not collect, track, or retain any data you provide through this tool.
You are in full control of your information. If you have any questions about how the tool works, please contact us before using this tool.

Result:

Complete the assessment above and then Run Assessment

This tool is a prototype version of a lightweight, browser-based assessment. It’s designed to:

  • Help you quickly evaluate a supplier’s baseline cyber controls
  • Generate a risk rating based on structured answers
  • Provide a downloadable PDF snapshot of the assessment

How it works:

The tool runs entirely in your browser - your data stays private.

  • It asks 10 foundational questions covering key security practices.
  • At the end, you’ll get a risk score and rating based on your responses.
  • You can download the results as a PDF report and use it in your internal documentation.

Use this tool as a pre-screening lens before launching into full security due diligence, or as a reference when comparing multiple vendors in a request for proposal (RFP) process. If you were using this tool in practice, you’d update the question set to your own - these are just some examples.

This is just a starting point - future versions may include:

  • AI-specific due diligence questions
  • Integration with your internal GRC platform
  • Customisable questions and scoring logic

FAQ: How This Supplier Cyber Scoping Tool Works

What is this tool and what does it do?

This is a lightweight, browser-based tool to help you assess the cyber risk of a supplier during an RFP or onboarding process. It asks 10 core cyber due diligence questions and gives you a preliminary risk score and downloadable PDF report.

It’s designed to provide a quick, consistent way to sense-check supplier risk early in the process. As you become more committed to bringing on this supplier, you will go deeper into the question set and some of the specifics.

Why not just use Google Sheets or Excel?

That’s a good question - and here’s the difference:

  • This tool runs entirely in your browser. No data is sent to a server, uploaded to the cloud, or stored.
  • Google Sheets often means sharing data with your Google account or other collaborators.
  • Excel files can be inconsistent, versioned, or sent over email - which creates risks and admin overhead.

So this tool offers more privacy, less friction, and immediate results without needing a spreadsheet setup.

Does this data leave my computer to be stored elsewhere?

No. All of your answers stay in your browser. The tool doesn’t collect, transmit, or store any data—not even temporarily.

Once you close the tab, your inputs are gone unless you’ve downloaded the PDF.

How does the scoring work?

The scoring model is implemented in Python and runs inside your browser (thanks to a technology called WebAssembly and Pyodide). It assigns weights to your answers based on common cyber risk indicators - such as speed of patching, presence of a named CISO, or use of offshore delivery.

The total score places the supplier into a Low, Medium, or High risk category.

Can I see the questions and scoring logic?

Yes - and that’s intentional. One of the benefits of this tool is transparency:

  • You can view the full list of questions.
  • You can inspect how the scoring is calculated.
  • You can reuse or adapt it for internal purposes.

This is a “glass box” approach - unlike many risk tools that give a number without explaining where it came from.

Is it secure? Could someone hack this or access my data?

Because the tool runs locally in your browser, there’s no server to hack and no data to steal. However, like anything running in a browser, a technically-savvy user could view the page source to see how it works.

That’s fine for this use case as it’s not designed to keep the scoring logic secret. In fact, openness helps build trust.

What if I want to change the questions or weights?

This version is fixed. It can be customised to allow you to edit the questions, adjust the scoring logic, or add your own branding to the PDF report.

If you’re interested in that, get in touch to get a copy of the code.

Can I use this for formal supplier approval?

Think of this as a preliminary lens, not a final verdict. It’s most useful:

  • During early-stage vendor reviews
  • To guide conversations with InfoSec and risk teams
  • To document your due diligence process

For critical or high-risk suppliers, you should still follow up with a full security review, risk assessment, or contractual controls.

Why is this free?

Because helping others ask better security questions benefits everyone. This tool is part of a broader initiative to share useful, transparent approaches to cyber risk and governance.

Can I connect this to my in-house GRC system (e.g. ServiceNow, Archer, MetricStream)?

Not directly - this tool is designed to be standalone and lightweight, running entirely in your browser with no backend or integration.

That’s what makes it fast, private, and easy to use - but it also means there’s no automatic connection to enterprise GRC platforms like ServiceNow, RSA Archer, or MetricStream.

However, here are a few ways teams have used it alongside their GRC tools:

  • Attach the PDF report to a supplier record or onboarding ticket.
  • Copy the responses or risk rating into your system manually, as a checkpoint or pre-screening artifact.
  • Use it to triage or prioritise suppliers before triggering a full GRC workflow.

If you’re interested in integrating this logic directly into your GRC system (e.g. to score questionnaire responses inside ServiceNow or Archer), you could explore building a backend version that connects via API or automation.

Can I use this tool in my business?

This is an experimental tool — a prototype — and not something you should rely on for formal supplier approvals, regulatory compliance, or contractual obligations. It’s designed to start the conversation, not finish it.

It asks 10 preliminary questions to help you get a feel for a supplier’s baseline cyber hygiene — but it’s just a first step.

By using this tool, you’re agreeing that:

  • You’re in charge. You’re responsible for interpreting the results and deciding what to do with them.
  • We’re not liable. Decisions based on this tool’s output are yours alone — no warranties, promises, or guarantees are made.
  • No data is stored. Everything runs in your browser, and nothing is saved or sent anywhere.
  • It’s not compliance-ready. This isn’t designed to meet legal, regulatory, or contractual standards.

In short: this tool is provided “as is”, with no warranties of any kind — express or implied. Use it wisely, validate the results, and if you’re unsure, get professional advice.