Operations pillar · v0.16.0
vendor-risk-assessment VendorRiskAssessment
Vendor risk-assessment record.
$id · https://corpospec.com/schemas/v0.16.0/vendor-risk-assessment.schema.json
Fields
| Field | Type | Required | Description |
|---|---|---|---|
| assessed_at | IsoDate | yes | ISO 8601 date (YYYY-MM-DD). |
| assessed_by | PathRef | yes | Path-based cross-reference relative to .corpospec/ root. Pattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$` |
| confidentiality | Confidentiality | yes | Cross-cutting confidentiality classification used across privacy, security, knowledge, IR pillars. Default rendering rule: `corpospec-report` excludes `Restricted | BoardOnly | InvestorOnly` records from public output unless an explicit audience parameter overrides. See BDR 0076 §1. |
| dimensions_assessed | AssessmentDimension[] | yes | |
| due_for_next_assessment | IsoDate | yes | ISO 8601 date (YYYY-MM-DD). |
| findings | AssessmentFinding[] | yes | |
| id | PathRef | yes | Path-based cross-reference relative to .corpospec/ root. Pattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$` |
| outcome | AssessmentOutcome | yes | Assessment outcome. |
| status | AssessmentStatus | yes | Lifecycle. |
| tier | VendorRiskTier | yes | Risk tier. |
| vendor | PathRef | yes | Path-based cross-reference relative to .corpospec/ root. Pattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$` |
| ddq_ref | PathRef? | — | PathRef to the DDQ artefact + vendor's responses. |
| evidence_refs | PathRef[] | — | PathRefs to evidence artefacts (SOC 2 reports, ISO certificates). |
Definitions
Shared types referenced within this schema.
AssessmentDimension
Assessment scope dimension.
AssessmentFinding
One assessment finding.
type: object
AssessmentOutcome
Assessment outcome.
AssessmentStatus
Lifecycle.
Confidentiality
Cross-cutting confidentiality classification used across privacy,
security, knowledge, IR pillars. Default rendering rule: `corpospec-report`
excludes `Restricted | BoardOnly | InvestorOnly` records from public output
unless an explicit audience parameter overrides. See BDR 0076 §1.
FindingSeverity
Finding severity.
enum: "observation", "low", "medium", "high", "critical"
IsoDate
ISO 8601 date (YYYY-MM-DD).
type: string
PathRef
Path-based cross-reference relative to .corpospec/ root.
Pattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$`
pattern: ^[a-z0-9_-]+(/[a-z0-9_.-]+)+$
VendorRiskTier
Risk tier.
enum: "low", "material", "critical"
Reference in your YAML
# yaml-language-server: $schema=https://corpospec.com/schemas/v0.16.0/vendor-risk-assessment.schema.json