Cybersecurity risk does not start with technology. It starts with contracts. Many operators assume that engaging a specialist vendor transfers risk. In reality, weak contractual terms often do the opposite, locking operators into exposure they cannot see or control.
This checklist is designed to help operators assess whether their cybersecurity vendor contracts actually protect them. It focuses on the clauses that matter when something goes wrong. Access control, data protection, incident response, audit rights, liability, and termination.
The framework is grounded in internationally recognised security standards, including ISO 27001 and the NIST Cybersecurity Framework, but it is written for commercial and operational use rather than technical teams alone. It can be applied across jurisdictions and scaled depending on vendor risk level.
The checklist is intended for use before signing, during contract renewal, and as part of ongoing vendor risk management. It helps surface gaps early, prioritise negotiation points, and avoid the false comfort of security language that does not stand up under pressure.