Standard
Vendor Inventory
The Vendor Inventory standard explains how an organization can document the vendors, services, tools, subscriptions, providers, and outside relationships it depends on.
Small organizations often use many outside services without keeping a clear list of them. A website may depend on a domain registrar, hosting provider, DNS service, email provider, payment processor, analytics tool, design tool, accounting platform, password manager, and several professional contacts. Over time, those services can become scattered across inboxes, cards, personal accounts, spreadsheets, and memory.
A vendor inventory helps make those dependencies visible.
Purpose
The purpose of a vendor inventory is to help an organization understand:
- which outside services exist
- what each service is used for
- who owns or maintains the relationship
- how important the service is
- where billing or renewal information is tracked
- which internal records or accounts connect to the service
- when the service should be reviewed
- what should happen if the service fails, changes, renews, or is no longer needed
The inventory does not need to be complex. It should make the organization easier to understand.
Core principle
The core principle is:
Keep a clear list of the outside services your organization depends on, why they matter, and who is responsible for them.
A vendor inventory should be practical enough to maintain. If the record becomes too complicated, it is less likely to stay current.
What counts as a vendor or service
For this standard, a vendor or service can include any outside provider, tool, subscription, platform, contractor, or professional relationship that supports the organization.
Examples include:
- domain registrars
- website hosting providers
- DNS providers
- email providers
- payment processors
- accounting or bookkeeping software
- accountants
- attorneys
- insurance providers
- cloud storage providers
- password managers
- design tools
- marketing tools
- customer support tools
- analytics tools
- contractors
- freelancers
- payroll services
- business banking providers
- software subscriptions
- physical service providers
- fulfillment or logistics providers
- industry-specific platforms
The inventory should focus on services that matter to operations, continuity, billing, access, communication, or decision-making.
What a vendor inventory is
A vendor inventory is:
- a list of important outside services
- a dependency map
- a billing and renewal awareness tool
- a responsibility record
- a continuity support record
- a review routine starting point
- a way to reduce confusion during handoffs
It helps answer basic questions such as:
- What services do we use?
- Why do we use them?
- Who owns this relationship?
- How do we contact the vendor?
- When does it renew?
- What happens if it stops working?
- Is it still needed?
- Where is access managed?
What a vendor inventory is not
A vendor inventory is not:
- a contract database by itself
- a legal review system
- a vendor risk management program
- a procurement system
- a compliance program
- an insurance review
- a cybersecurity assessment
- a guarantee that vendor risk has been addressed
Some organizations may need formal vendor risk reviews, contract reviews, security reviews, or compliance processes. This standard does not replace those activities.
Recommended fields
A basic vendor inventory may include the following fields.
Vendor or service name
Record the name of the vendor, provider, service, platform, tool, or contractor.
Examples:
- Cloudflare
- Google Workspace
- Stripe
- Paddle
- QuickBooks
- Dropbox
- Domain registrar
- Local accountant
- Insurance broker
- Website contractor
Use the name people commonly recognize.
Category
Record the type of service.
Examples:
- Domain
- Hosting
- Payments
- Accounting
- Legal
- Insurance
- Storage
- Security
- Marketing
- Operations
- Contractor
- Professional service
- Banking
- Communications
Categories help make the inventory easier to scan.
Purpose
Describe why the organization uses the vendor or service.
Examples:
- Hosts the public website.
- Manages the primary domain name.
- Processes customer payments.
- Stores shared documents.
- Provides bookkeeping support.
- Provides general liability insurance.
- Sends customer email updates.
- Maintains design files.
The purpose should be specific enough to help someone understand the service without needing to ask the original owner.
Importance level
Record how important the service is to the organization.
A simple scale may be enough:
- Critical
- Important
- Useful
- Optional
- Unknown
Critical services may include services that affect revenue, customer access, public website availability, legal notices, email, banking, payroll, or core operations.
Responsible owner
Record who owns or maintains the vendor relationship.
This may be:
- a person
- a role
- a team
- an outside professional
- a board officer
- a department
- a founder
Examples:
- Founder
- Operations lead
- Finance owner
- Website maintainer
- Accountant
- Board treasurer
Where possible, use both role and current person.
Contact path
Record how the vendor is contacted.
Examples:
- support portal
- account dashboard
- support email
- account representative
- phone number
- professional contact
- ticketing system
- customer success manager
Do not store sensitive account recovery information here. Use access references for access-related details.
Account owner or billing owner
Record who receives invoices, renewal notices, receipts, or billing notifications.
Examples:
- finance@organization.org
- founder email
- accounting firm
- operations lead
- treasurer
This is especially useful when vendor emails go to one person’s inbox.
Renewal or billing cycle
Record the billing or renewal pattern.
Examples:
- Monthly
- Annual
- Quarterly
- Usage-based
- One-time
- Contract-based
- Unknown
If the service renews annually, record the renewal month or date if known.
Approximate cost
Record a general cost note if useful.
Examples:
- $12/month
- $240/year
- usage-based
- included in another service
- varies by usage
- unknown
This does not need to be exact accounting. The goal is awareness.
Payment method reference
Record where payment information is managed without exposing payment card details.
Examples:
- Business card ending reference only if appropriate
- Managed through accounting platform
- Paid by invoice
- Paid through bank transfer
- Managed by finance owner
- Included in parent subscription
Do not record full card numbers, bank login information, or sensitive payment credentials.
Related access reference
If the service has an account or admin login, link or refer to the access reference.
Examples:
- Access reference: “Primary Domain Registrar”
- Access reference: “Payment Processor Admin”
- Access reference: “Email Workspace Admin”
- Not applicable
- Managed by external provider
This helps separate vendor awareness from credential storage.
Related records
Record other internal documentation connected to the vendor.
Examples:
- contract location
- invoice folder
- insurance certificate folder
- continuity notes
- incident history
- onboarding notes
- account ownership record
Use safe references. Do not store sensitive documents directly in the vendor inventory unless the inventory system is approved for that purpose.
Status
Record whether the vendor is active.
Examples:
- Active
- Trial
- Pending review
- Replacing
- Cancelled
- Archived
- Unknown
Archived vendors may still matter if old records, invoices, or account history need to be retained.
Last reviewed date
Record when the vendor record was last checked.
Review frequency
Record how often the vendor should be reviewed.
Examples:
- Monthly
- Quarterly
- Twice per year
- Annually
- Before renewal
- After incidents
- When ownership changes
Notes
Use notes for neutral context.
Examples:
- Renewal notice usually arrives in March.
- Service supports the public website.
- Consider reviewing before annual renewal.
- Used only for legacy records.
- Vendor support requires account owner verification.
Do not use notes for passwords, API keys, payment details, confidential contracts, or sensitive incident evidence.
Minimum recommended vendor record
A small organization can begin with a simple vendor record.
| Field | Description |
|---|---|
| Vendor/service | Name of the vendor, platform, tool, or provider |
| Category | Type of service |
| Purpose | Why the organization uses it |
| Importance | Critical, important, useful, optional, or unknown |
| Owner | Person or role responsible |
| Billing/renewal | Monthly, annual, usage-based, or unknown |
| Access reference | Where access is documented safely |
| Last reviewed | Date last checked |
This minimum version is enough to create visibility.
Examples
Example: Website hosting
| Field | Example |
|---|---|
| Vendor/service | Website hosting provider |
| Category | Hosting |
| Purpose | Hosts the public website |
| Importance | Critical |
| Responsible owner | Website maintainer |
| Contact path | Support portal |
| Billing cycle | Monthly |
| Approximate cost | $20/month |
| Access reference | “Website Hosting Admin” |
| Status | Active |
| Last reviewed | 2026-07-08 |
| Review frequency | Quarterly |
Example: Domain registrar
| Field | Example |
|---|---|
| Vendor/service | Domain registrar |
| Category | Domain |
| Purpose | Manages primary domain name |
| Importance | Critical |
| Responsible owner | Founder |
| Contact path | Account dashboard |
| Billing cycle | Annual |
| Approximate cost | Varies by domain |
| Access reference | “Primary Domain Registrar” |
| Status | Active |
| Last reviewed | 2026-07-08 |
| Review frequency | Quarterly |
Example: Accountant
| Field | Example |
|---|---|
| Vendor/service | Accounting firm |
| Category | Professional service |
| Purpose | Supports bookkeeping and tax preparation |
| Importance | Important |
| Responsible owner | Finance owner |
| Contact path | Professional email |
| Billing cycle | Monthly or project-based |
| Approximate cost | Contract-based |
| Access reference | Not applicable |
| Status | Active |
| Last reviewed | 2026-07-08 |
| Review frequency | Annually |
Example: Payment processor
| Field | Example |
|---|---|
| Vendor/service | Payment processor |
| Category | Payments |
| Purpose | Processes customer payments and receipts |
| Importance | Critical |
| Responsible owner | Finance owner |
| Contact path | Support portal |
| Billing cycle | Transaction-based |
| Approximate cost | Varies by transaction volume |
| Access reference | “Payment Processor Admin” |
| Status | Active |
| Last reviewed | 2026-07-08 |
| Review frequency | Quarterly |
Vendor importance levels
A simple importance scale helps prioritize review.
Critical
A critical vendor is essential to operations, revenue, legal obligations, customer access, communications, or continuity.
Examples:
- payment processor
- domain registrar
- website hosting
- email provider
- payroll provider
- banking platform
- core operating software
Critical vendors should usually have clear ownership, access references, billing awareness, and continuity notes.
Important
An important vendor supports meaningful operations but may not stop the organization immediately if unavailable.
Examples:
- accounting software
- design tools
- analytics tools
- customer support tools
- insurance broker
- professional advisors
Important vendors should still be reviewed periodically.
Useful
A useful vendor helps the organization but is not essential.
Examples:
- optional marketing tool
- design subscription
- research tool
- experimental software
- non-critical productivity tool
Useful vendors are good candidates for periodic cleanup.
Optional
An optional vendor may not be needed long term.
Examples:
- trial software
- unused subscription
- old platform
- temporary contractor tool
Optional vendors should be reviewed before renewal.
Unknown
Unknown means no one is sure how important the vendor is.
Unknown should not stay unknown forever. It is a signal to review the service.
Review triggers
A vendor inventory should be reviewed when:
- a new service is added
- a service is cancelled
- a vendor changes pricing
- a vendor renews annually
- the responsible owner changes
- billing ownership changes
- an incident involves the vendor
- the vendor becomes critical to operations
- the organization changes its website, payment, email, or accounting systems
- a quarterly or annual review date arrives
Relationship to access references
Vendor records and access references should work together.
The vendor inventory records:
- what the service is
- why it matters
- who owns the relationship
- how billing or renewal works
- whether it is active
The access reference records:
- where access is managed
- who owns admin access
- whether MFA is enabled
- how recovery ownership is handled
- where credentials are securely stored
Do not duplicate passwords or secrets in either record.
Relationship to continuity notes
Vendor inventories are important for continuity.
If a key person becomes unavailable, the organization may need to know:
- which vendors are critical
- which services renew soon
- which accounts support the website, email, payments, or records
- who can contact the vendor
- where access is safely referenced
- where billing notices are sent
A basic vendor inventory can make the first hour of a disruption less confusing.
Relationship to incident timeline notes
Vendor records are also useful during incidents.
If a service outage, billing issue, account lockout, domain problem, payment disruption, or vendor mistake occurs, the vendor inventory can help identify:
- who owns the relationship
- how to contact support
- what related services may be affected
- where access is managed
- what needs follow-up after the incident
Incident timeline notes should record what happened. The vendor inventory should help explain what system or service was involved.
Common mistakes
Mistake 1: Only tracking paid subscriptions
Some important services may be free, included, donated, trial-based, or managed by someone else. They may still be operationally important.
Mistake 2: Not recording the owner
A list of vendors is less useful if no one knows who is responsible for each one.
Mistake 3: Confusing vendor records with passwords
Vendor records should not contain passwords, API keys, MFA recovery codes, or payment card details.
Mistake 4: Ignoring renewal dates
Many problems come from forgotten renewals, expired cards, old billing emails, or abandoned subscriptions.
Mistake 5: Keeping cancelled vendors mixed with active vendors
Cancelled or archived vendors can still matter, but they should be clearly marked.
Mistake 6: Overbuilding the inventory
A vendor inventory should be useful, not exhausting. Start with critical services and expand gradually.
Suggested adoption path
A practical adoption path is:
- List the organization’s most important services.
- Mark each service as critical, important, useful, optional, or unknown.
- Add a responsible owner for each service.
- Add billing or renewal awareness.
- Add access-reference links for services with accounts.
- Review unknown and optional services.
- Set a review routine.
This approach helps the organization create value quickly.
Public standard status
This standard is an early public draft.
It may be revised as examples, templates, feedback, and implementation notes improve.
Related templates
Related templates may include:
- Vendor and Service Inventory
- Access Reference Register
- Responsibility Record
- Continuity Notes
- Documentation Review Log
Related standards
Related standards include:
- Documentation Framework
- Access References
- Responsibility Records
- Continuity Notes
- Incident Timeline
- Review Routines