When working through your vendor management program if a vendor doesn’t have a preexisting audit such as a SOC or ISO27001 to review, you may need to perform your own audit on them. This spreadsheet will help get the basics from them and determine what kind of risks the vendor has that need to be considered.
Information Security Vendor Questionnaire