Selecting an enterprise software vendor or IT supplier is one of the most consequential decisions an IT director makes. The wrong choice locks in your organisation for 3–7 years, creates migration debt, and often results in a formal tender process to exit. This scorecard framework, PoC checklist, and RFP structure ensure you make data-driven vendor decisions.
On this page
When to Run a Formal Vendor Evaluation
Formal evaluation is essential above £50k annual spend
For any technology investment above £50,000/year (or £150,000+ total contract value), a formal evaluation process protects the organisation legally, ensures competitive pricing, and reduces the risk of choosing the wrong platform on inadequate evidence.
- You are replacing a core business system (ERP, CRM, HRIS, billing platform)
- The contract term is 3 years or more
- The investment exceeds £50,000/year in total cost of ownership
- The system will hold sensitive data (personal data, payment data, health data)
- More than 50 employees will use the system daily
- The decision is a public sector or regulated industry procurement (often legally required)
Requirements Gathering Template
VENDOR EVALUATION — REQUIREMENTS SPECIFICATION Project: [System Name e.g., New CRM Platform] Prepared by: [Name, Role] | Date: [Date] SECTION 1: MANDATORY REQUIREMENTS (Must-Have) These are go/no-go criteria. A vendor not meeting all of these is disqualified. MR-001: [Requirement description] — Verification method: [demo / documentation / reference] MR-002: [Requirement description] — Verification method: [...] MR-003: GDPR compliance / ICO registration — Docs: DPA, privacy policy, sub-processor list MR-004: UK or EU data residency available — Must confirm in writing MR-005: SOC 2 Type II or ISO 27001 certification — Certificate must be in date MR-006: SSO / SAML support (if required) — Technical demo required SECTION 2: IMPORTANT REQUIREMENTS (Should-Have) Scored 0–4 points each in the evaluation matrix. IR-001: [Requirement] IR-002: [Requirement] IR-003: API / webhook support for [specific integration] IR-004: Mobile responsive or native mobile app IR-005: Multi-currency / multi-country support IR-006: Custom reporting / dashboard builder SECTION 3: DESIRABLE REQUIREMENTS (Nice-to-Have) Scored 0–2 points each. DR-001: [Requirement] DR-002: [Requirement] DR-003: AI-assisted features (describe specific need) SECTION 4: NON-FUNCTIONAL REQUIREMENTS Performance: 99.9% uptime SLA minimum (documented in contract) Support: [24/7 / Business hours] support; maximum [X] hour response for critical issues Security: Pen test results available on request; CVE response policy documented Scalability: Must support [X] concurrent users / [X] records without performance degradation
Evaluation Criteria & Scoring Matrix
| Category | Weight | Score 1–5 | How to Assess |
|---|---|---|---|
| Functional fit to requirements | 30% | 1=<50% reqs met; 5=95%+ reqs met | Structured demo against requirements list; vendor scores each MR/IR |
| Security & compliance posture | 20% | 1=no certs; 5=SOC2 T2 + ISO27001 + pen test results shared | Request: penetration test summary, security questionnaire (SIG Lite or CAIQ), DPA |
| Total cost of ownership (3yr) | 15% | 1=>50% over budget; 5=under budget with good value | Full TCO model: licences + implementation + training + support + migration + exit |
| Implementation & onboarding | 10% | 1=no methodology; 5=detailed plan, named PM, reference customers | Request recent case study in same industry; speak to 2 customer references of similar size |
| Support quality & SLAs | 10% | 1=email only, best endeavours; 5=24/7 named support, contractual SLAs | Review SLA schedule in contract; check G2/Trustpilot/Gartner Peer Insights for support reviews |
| Vendor viability & roadmap | 10% | 1=pre-revenue startup, opaque roadmap; 5=established, public roadmap, strong backers | Check Companies House or LinkedIn, funding rounds, product changelog, ask explicitly about roadmap |
| Ease of exit / data portability | 5% | 1=data locked in, no export; 5=full API access, standard export formats, no exit fee | Contract clause: data export in standard formats within 30 days; no ransom pricing on own data |
Functional fit to requirements
- Weight
- 30%
- Score 1–5
- 1=<50% reqs met; 5=95%+ reqs met
- How to Assess
- Structured demo against requirements list; vendor scores each MR/IR
Security & compliance posture
- Weight
- 20%
- Score 1–5
- 1=no certs; 5=SOC2 T2 + ISO27001 + pen test results shared
- How to Assess
- Request: penetration test summary, security questionnaire (SIG Lite or CAIQ), DPA
Total cost of ownership (3yr)
- Weight
- 15%
- Score 1–5
- 1=>50% over budget; 5=under budget with good value
- How to Assess
- Full TCO model: licences + implementation + training + support + migration + exit
Implementation & onboarding
- Weight
- 10%
- Score 1–5
- 1=no methodology; 5=detailed plan, named PM, reference customers
- How to Assess
- Request recent case study in same industry; speak to 2 customer references of similar size
Support quality & SLAs
- Weight
- 10%
- Score 1–5
- 1=email only, best endeavours; 5=24/7 named support, contractual SLAs
- How to Assess
- Review SLA schedule in contract; check G2/Trustpilot/Gartner Peer Insights for support reviews
Vendor viability & roadmap
- Weight
- 10%
- Score 1–5
- 1=pre-revenue startup, opaque roadmap; 5=established, public roadmap, strong backers
- How to Assess
- Check Companies House or LinkedIn, funding rounds, product changelog, ask explicitly about roadmap
Ease of exit / data portability
- Weight
- 5%
- Score 1–5
- 1=data locked in, no export; 5=full API access, standard export formats, no exit fee
- How to Assess
- Contract clause: data export in standard formats within 30 days; no ransom pricing on own data
Proof of Concept (PoC) Checklist
0/6 complete