Most third-party risk programs at mid-market companies still run on a Google Sheet. There is a tab per vendor, a column per question, and a person who chases evidence by email until the next audit. It scales until it doesn't. The first time an auditor asks "show me the questionnaire response your highest-risk subprocessor submitted in 2024 and the evidence that backed it up," the spreadsheet stops being a process and starts being a liability.

This guide walks through what mid-market AWS customers should replace the spreadsheet with in 2026, what a defensible vendor risk program looks like for SOC 2, ISO 27001, HIPAA, and PCI DSS audits, and where a purpose-built tool earns its keep over the legal-pad-and-Excel approach.

Quick answer: For AWS customers managing 10 to 500 vendors, the right replacement for a vendor-risk spreadsheet is an AWS-native TPRM tool that ships standardized questionnaires, validates evidence, and produces an audit-ready PDF without you writing one. ComplyRim Vendor Triage runs on AWS Marketplace from $149 per month or $50 per assessment pay-as-you-go, with 78 industry-standard questions across 8 domains (including AI/ML ethics) and 85%+ completion rates from multi-stakeholder routing.

Why spreadsheets fail at vendor risk management

Spreadsheet-based vendor risk works for the first 10 vendors. Past that, four problems compound:

Inconsistent questionnaires. Each vendor gets a slightly different version. There is no audit trail showing which version any given vendor answered. Auditors notice.
No evidence validation. A vendor uploads a SOC 2 report. Nobody checks whether it is current, signed by the right auditor, or covers the products you actually buy. The PDF sits in a folder until the renewal and then sits there for another year.
Single-recipient routing. The whole questionnaire goes to whoever answered first — usually a vendor's account executive. Security questions get forwarded to the CISO, privacy questions to the DPO, technical questions to engineering, and the response stalls. Industry data puts spreadsheet-questionnaire completion rates at 50–60%.
No audit-ready output. When the auditor asks for the population of high-risk vendors and the evidence supporting their classification, the answer is a folder of PDFs and a spreadsheet, not a report. Translating that into an audit response is a person-week of work the team rarely has.

The deeper problem: spreadsheets capture data, but compliance frameworks ask for processes. SOC 2 CC9.2 requires a documented vendor management program with classification, monitoring, and remediation. ISO 27001 Annex A.5.19 and A.5.21 require risk assessments and contractual controls for supplier relationships. HIPAA 45 CFR 164.308 requires written agreements and ongoing risk analysis for business associates. None of these are satisfied by a spreadsheet — they're satisfied by evidence that a process ran.

What a defensible TPRM program looks like in 2026

A defensible vendor risk program — the kind that survives a SOC 2 Type II or ISO 27001 audit without follow-up findings — has six functions running:

Risk-based pre-assessment. Vendors get classified before they are assessed. Classification uses contract value, data sensitivity, and operational criticality. Low-risk vendors get a 10-question screen; critical vendors get the full 78-question questionnaire.
Standardized questionnaire. Same questions, same scoring, every vendor in the same risk tier. Mapped to the compliance frameworks the buyer actually carries.
Multi-stakeholder routing. Security questions to the CISO. Privacy and data-handling to the DPO. Technical and architecture to engineering. Business continuity to operations. Routing is what drives completion rates from 50–60% on a single-recipient questionnaire to 85%+.
Evidence validation. Every uploaded certificate, attestation, and policy is checked for authenticity, expiration, and scope coverage. Expired SOC 2 reports get flagged. Out-of-scope ISO 27001 certificates get flagged. Policies that don't include the products you actually buy get flagged.
Audit-ready report generation. The output is a PDF with executive summary, risk classification, finding list, remediation roadmap, and an evidence appendix. The auditor reads it. The team doesn't write it.
Continuous monitoring. Renewal-cycle reassessments, evidence-expiry tracking, and breach-notification triage when a vendor has a security incident.

A spreadsheet can theoretically do all six. In practice, no spreadsheet at any mid-market company does all six well. The cost of running them properly in Excel is one full-time hire — which is the same cost as licensing a purpose-built tool for the next eight years.

ComplyRim Vendor Triage: how it works

ComplyRim Vendor Triage is an AWS-native third-party risk management product that runs the six functions above. Built on AWS serverless infrastructure (Lambda, API Gateway, DynamoDB, S3, EventBridge), it deploys via CloudFormation in under 30 minutes and is billed through AWS Marketplace on the customer's existing AWS contract.

The 78-question, 8-domain framework:

Information security policy
Access management
Encryption and key management
Network security
Vulnerability management
Incident response
Business continuity
Third-party / subprocessor risk

A new differentiator added in 2026: AI/ML ethics assessments. As enterprise customers add ISO 42001 (AI management) and EU AI Act compliance to their audit scope, vendor risk programs need to ask vendors how they govern AI models, how they handle training data, and what their model-monitoring and bias-testing processes look like. Vendor Triage's questionnaire covers this directly — most legacy TPRM tools do not.

Multi-stakeholder routing. When a questionnaire is sent, it is automatically segmented by domain. The vendor's CISO sees the security questions, the DPO sees privacy questions, engineering sees technical architecture questions. Each stakeholder gets a focused subset and a deadline. Completion rates run at 85%+ versus the 50–60% industry baseline for single-recipient questionnaires.

Evidence validation. Vendors upload certificates and attestations directly into the tool. The system checks expiration dates, validates signing authority, and matches scope to product. Expired or out-of-scope evidence gets flagged for the assessor to review, not silently filed.

Audit-ready PDF. Once the questionnaire is complete and evidence is validated, the report generates in minutes. Executive summary, risk classification, finding list, remediation roadmap, evidence appendix. Auditors read it. The team does not write it.

Pricing.

Pay-as-you-go: $50 per assessment — fits low-volume vendor cycles where 25/month is too many.
Basic: $149 per month — up to 25 active vendor assessments, 3 user seats. Right for 100–250 employee companies with 25–50 vendors in scope.
Standard: $399 per month — up to 100 active assessments, 10 seats. Right for 250–750 employee companies with growing vendor risk programs.
Premium: $999 per month — unlimited assessments, unlimited seats. Right for fast-growing companies onboarding 50+ vendors per quarter.

A 14-day free trial is available on AWS Marketplace. AWS credits and committed spend apply.

Why AWS-native matters for vendor risk

The deployment model shows up in three places that matter for compliance audits:

Where the data lives. Vendor Triage runs in the customer's AWS region. Vendor questionnaires, evidence files, and audit reports are stored in the customer's S3 bucket — not in the vendor's hosted SaaS tenant. For HIPAA covered entities, FedRAMP track companies, and any customer with contractual no-data-egress requirements, this is an architecture-level distinction, not a feature.

How it's billed. Vendor Triage is metered through AWS Marketplace and charges against the customer's existing AWS contract. AWS credits apply. Committed-spend discounts apply. There is no separate vendor relationship to procure, no separate invoice to reconcile, and no renewal cycle independent of the AWS agreement the company already has.

What deployment looks like. A CloudFormation template, a read-only IAM role, and the product is running. No API integration setup, no service-account provisioning across third-party systems, no cross-tenant data routing to configure. Setup time is under 30 minutes — the difference between "the vendor risk tool is running this afternoon" and "the vendor risk tool is running next quarter after the integration kickoff call."

Pairing Vendor Triage with CRS for a complete first-audit program

For mid-market AWS customers preparing for a first SOC 2, ISO 27001, HIPAA, or PCI DSS audit, the cleanest stack is two ComplyRim products together:

CRS (Compliance Readiness Snapshot) — $99.99 per scan pay-as-you-go, or $799.99 per month standard — runs 200+ automated security checks against the company's own AWS environment. Output: readiness score, gap analysis, remediation roadmap. Time to first report: under 30 minutes.
Vendor Triage — $50 per assessment or $149 per month basic — runs the vendor side of the program. Output: per-vendor audit-ready PDF, program-level summary report.

Together, the two products cover the two halves of an audit's external scope: "is your environment secure" (CRS) and "are your vendors secure" (Vendor Triage). Both deploy on AWS Marketplace, billed on the same AWS invoice, with 14-day free trials. Total entry cost runs roughly $250 per month combined — versus a typical Vanta contract median of ~$19,800 per year.

Available on AWS Marketplace

Try Free with AWSVendor Triage

Try Free with AWSCRS

Frequently asked questions

How many vendors should we be assessing?

Most SOC 2 and ISO 27001 audits care about all third parties with access to in-scope data, plus subservice organizations whose controls support yours. For a 100–500 employee company, that typically lands at 25–100 vendors. The spreadsheet starts breaking down at the 25-vendor mark — not because the data won't fit, but because the multi-stakeholder routing and evidence-expiry tracking become unmanageable.

How long does a vendor assessment take?

With Vendor Triage's multi-stakeholder routing, a full 78-question assessment with evidence validation typically completes in 2 to 3 days. Industry baseline for spreadsheet-driven assessments is 2 to 3 weeks per vendor — driven by the single-recipient routing problem and chase-by-email cycles. For low-volume programs, the $50-per-assessment pay-as-you-go option is often the cheapest defensible answer.

Does Vendor Triage cover AI and machine-learning vendors?

Yes. The 78-question framework includes AI/ML ethics assessments — model governance, training-data handling, bias testing, model-monitoring practices, and incident response for AI-specific failures. As ISO 42001 and the EU AI Act move into audit scope through 2026 and 2027, this coverage becomes more material. Most legacy TPRM tools have not added these questions yet.

What frameworks does Vendor Triage map to?

SOC 2, ISO 27001, NIST CSF, HIPAA, GDPR, and PCI DSS v4.0. The 8 security domains and 78 questions are mapped to the controls in each framework so a single questionnaire response satisfies multiple audits.

Can we run Vendor Triage alongside an existing GRC tool?

Yes. Vendor Triage is a standalone product on AWS Marketplace and does not require ComplyRim to be the primary GRC system. Many teams use Vendor Triage as the TPRM module while keeping an existing platform for SOC 2 program tracking. The audit-ready PDF output drops cleanly into any audit response.

What happens when a vendor's evidence expires?

Vendor Triage tracks expiration dates on every uploaded certificate and attestation. Expiring evidence is flagged in the dashboard with a configurable lead time (typical default: 60 days before expiration). The assessor can then re-trigger that vendor's assessment without restarting the full questionnaire from scratch.

How does Vendor Triage handle a vendor security incident?

Incident response questions are part of the 78-question framework, and the breach-notification process is documented in the vendor's response. When a real-world incident is reported, the assessor can re-open the affected vendor's record, capture the incident details and remediation evidence, and re-classify risk if needed. The audit trail is preserved automatically.

What about ongoing monitoring?

Vendor Triage handles reassessment cycles (typically annual, with high-risk vendors on a 6-month cycle) and evidence-expiry tracking. For continuous live monitoring of vendor security posture (e.g., security ratings from BitSight or SecurityScorecard), most teams pair Vendor Triage with one of those scoring services — Vendor Triage handles the audit-ready process side, the rating service handles the always-on signal side.

Get started in under 30 minutes

If a vendor questionnaire spreadsheet is the bottleneck in your next audit, the fastest way to replace it is a 14-day free trial of Vendor Triage on AWS Marketplace. Deployment is a CloudFormation template and a read-only IAM role; the first vendor assessment is sendable within an hour.

Pricing reference: AWS Marketplace listings as of May 2026. Vendor Triage pricing reflects 1-month-contract tiers and pay-as-you-go assessments. Vanta and Drata pricing references reflect publicly observable contract data via Vendr; actual contract pricing varies by company size, framework count, and negotiation.

Vendor Risk Management Without Spreadsheets: A 2026 Guide for AWS Customers