In the IT Security team where I work, we currently use the Standarized Information Gathering or SIG tool to evaluate IT security posture of prospective 3rd party vendors. What I like about the SIG is the questions are standarized and depending on responses, only relevant follow up questions are asked.
At very small vendors though that may not have a dedicated IT or IT security function, a lot of the SIG questions may not apply. Currently, we are evaluating a smaller vendor providing a niche service and we are not comfortable with giving due diligence sign off due to the very limited responses provided on SIG questionnaire completed by such vendor. A lot of the controls and best practices on the SIG simply are not applicable due to vendor size. Furthermore, vendor will have remote access to our company infrastructure.
Question: what alternative approaches are viable for risk assessment of very small vendors in which market size is also small and competitors are of approximately same size, so switching vendors is not feasible?