The day a greenfield plant goes live, every vendor on site becomes part of your operational and risk surface — equipment OEMs, system integrators, maintenance contractors, logistics partners, and software providers. Onboard them loosely and you inherit safety incidents, cyber exposure through maintenance accounts, compliance gaps, and SLA disputes that all surface at the worst possible moment. A structured onboarding checklist turns that chaos into a repeatable gate every vendor must clear. This guide lays out a 75-point greenfield vendor onboarding checklist across seven domains, so no supplier reaches day one without being credentialed, compliant, and ready.
Standing up a vendor base for a new plant? Book a 30-minute greenfield onboarding consultation to map this checklist to your supplier list and your go-live date.
Why Vendor Onboarding Decides Your Go-Live
A greenfield plant can carry hundreds of vendors by day one, and each one is a path into your operations, your data, and your liability. The cyber picture alone is sobering: third parties are now involved in roughly 30% of all breaches, and a vendor's maintenance credentials are among the most common ways attackers reach plant control systems. Loose onboarding doesn't just create a security gap — it produces safety incidents from untrained contractors, compliance failures that stall audits, and SLA arguments that erupt mid-outage. That is why mature operators treat onboarding as a controlled gate, not paperwork. If you want that gate built around your specific vendor mix, you can walk through it with a greenfield specialist.
of breaches now involve a third party — roughly double earlier levels
of companies hit by at least one supply-chain breach within a year
average global cost of a data breach — and over $10M in the U.S.
The 75-Point Greenfield Vendor Onboarding Checklist
The checklist is organized into seven domains. Below are the highest-leverage checkpoints in each one, with the full count noted on every card. Run every vendor through the relevant domains and capture a sign-off before granting site access or system credentials.
1. Vendor Credentialing & Documentation
12 checkpoints- Business registration, tax ID and legal entity verified
- Financial stability and references checked
- Trade and professional licenses current
- Sanctions and watchlist screening cleared
- Signed master service agreement and scope of work
- Sub-contractor disclosure and document expiry tracking
2. Safety, EHS & Site Access
14 checkpoints- Site safety induction completed and recorded
- EHS training records and competencies verified
- Lockout/tagout and permit-to-work authorization
- Method statements and job safety analysis submitted
- PPE requirements confirmed and emergency procedures briefed
- Site badges, escort rules and incident reporting set up
3. Cybersecurity & OT/Data Access
11 checkpoints- Security questionnaire plus SOC 2 or ISO 27001 evidence
- Least-privilege access scoped to a segmented vendor VLAN
- MFA on all remote and maintenance accounts; no shared logins
- Secure remote access — no open RDP or always-on VPN
- Breach-notification and right-to-audit clauses agreed
- Patch/SBOM terms and automatic access expiry on offboarding
4. ESG & Sustainability
9 checkpoints- Supplier code of conduct signed
- Environmental permits and waste-handling commitments verified
- Scope 3 emissions data capability confirmed
- Modern-slavery and responsible-sourcing due diligence
- ESG reporting data feed aligned to your disclosure framework
5. Insurance & Liability
8 checkpoints- Certificate of insurance on file with limits verified
- General liability and workers' compensation coverage confirmed
- Professional / errors-and-omissions cover where relevant
- Additional-insured endorsement and indemnification agreed
- Cyber liability for system vendors; policy expiry tracked
6. SLA & Performance Terms
11 checkpoints- Response, resolution and uptime targets defined
- Spare-parts lead times and warranty terms set
- KPIs, scorecards and reporting cadence agreed
- Escalation path and named contacts documented
- Penalty/credit clauses and change-management process
- Exit and transition terms captured up front
7. Systems Integration & Go-Live Sign-Offs
10 checkpoints- Vendor and asset records created in the CMMS/ERP
- Master-data standards aligned — naming, tagging, hierarchy
- API/data-exchange tested and integration security reviewed
- PM schedules and manuals uploaded
- User acceptance test passed and plant team trained
- Go/no-go sign-off captured and day-1 support confirmed
Want the complete 75-point template mapped to your CMMS and supplier list? Book a greenfield onboarding workshop and we will tailor every domain to your plant.
Sequencing the Checklist: Your Pre-Go-Live Timeline
A checklist only works if it is sequenced against your startup calendar. Credentialing and access decisions take the longest to clear, so they belong early; integration and final sign-offs cluster near day one. This phased order keeps vendors moving without bottlenecking your go-live.
-
T-12 wk
Credentialing & documentation locked
Verify entities, licenses, sanctions screening, and master agreements. These take the longest to resolve, so start them first.
-
T-8 wk
Safety, EHS & cyber access scoped
Complete site inductions, training verification, and least-privilege access scoping on a segmented network before any system touch.
-
T-4 wk
ESG, insurance & SLA terms finalized
Confirm certificates of insurance, supplier code of conduct, KPIs, and escalation paths so commercial terms are settled before launch.
-
T-2 wk
Systems integration & acceptance testing
Load asset and vendor records, align master data, run API tests, and pass user acceptance testing with the plant team.
-
Day 0
Go-live: final go/no-go sign-off
Capture the formal sign-off, confirm day-1 support coverage, and switch every vendor to active monitoring from the first shift.
Tight on timeline? Book a 30-minute go-live readiness session to sequence your vendors against your startup date.
Turn This Checklist Into a Live Onboarding Workflow
iFactory centralizes vendor records, credentials, access scoping, SLAs, and sign-offs inside your CMMS — so onboarding is a tracked gate, not a stack of spreadsheets, from the first contractor to day-1 go-live.
Expert Perspective
The vendors that cause the most pain on day one are never the ones you scrutinized — they are the ones that slipped through with an expired insurance certificate, a shared maintenance login, or no recorded safety induction. A greenfield startup moves fast, and onboarding is where corners get cut under schedule pressure. The fix is not more paperwork; it is a single gated workflow where access, credentials, and sign-offs are tracked and cannot be skipped. Get that right and the checklist enforces itself.
— Greenfield Vendor Readiness Practice, iFactory Engineering Team
checkpoints every vendor should clear before site or system access
domains, from credentialing and safety to cyber and integration
the deadline — gaps left open surface as live-plant problems
The Bottom Line
Vendor onboarding is one of the few greenfield activities where a few hours of upfront discipline prevents weeks of downstream disruption. Work the 75 points across all seven domains, sequence them against your startup calendar, and capture a sign-off at every gate. When credentialing, safety, cyber, ESG, insurance, SLA, and integration are all verified before day one, your vendors arrive as assets rather than liabilities — and your go-live is defined by what runs, not by what you forgot to check.
Onboard Every Vendor Right, Before Day 1
From the full 75-point template to a CMMS-integrated onboarding gate that tracks credentials, access, and sign-offs, iFactory helps greenfield teams reach go-live with every vendor verified and ready.
Frequently Asked Questions
What is a greenfield vendor onboarding checklist?
It is a structured set of checkpoints every supplier and contractor must clear before working at a new plant. A complete checklist spans credentialing, safety, cybersecurity, ESG, insurance, SLA terms, and systems integration. Running every vendor through the same gate prevents the safety, compliance, and security gaps that typically surface during a rushed go-live.
Why are 75 checkpoints necessary — isn't that excessive?
A greenfield plant onboards many vendor types at once, and each carries distinct risk. The 75 points spread across seven domains so no category is skipped under deadline pressure. Smaller vendors only complete the domains that apply to them, so most clear far fewer than 75 while the framework still covers every angle that matters.
Which onboarding domain carries the highest risk?
Cybersecurity and safety are usually the sharpest. Vendor maintenance accounts are a leading path into plant control systems, with third parties now involved in roughly 30% of breaches, while untrained contractors drive site safety incidents. Both are best controlled with least-privilege access, verified training, and recorded sign-offs before anyone reaches the floor.
When should vendor onboarding start before go-live?
Begin credentialing about twelve weeks out, since entity checks, licenses, and master agreements take the longest. Safety and cyber access scoping follow around eight weeks, ESG, insurance, and SLA terms around four weeks, and systems integration with acceptance testing in the final weeks. Sequencing this way avoids a bottleneck right before launch.
How does iFactory help manage vendor onboarding?
iFactory turns the checklist into a tracked workflow inside your CMMS, holding vendor records, credentials, access scoping, SLAs, and go/no-go sign-offs in one place instead of scattered spreadsheets. That makes onboarding a gate that cannot be skipped. You can book a greenfield onboarding consultation to set it up for your plant.
