I thought the templates you have developed so far will work pretty well.
Only have two thoughts for you to consider:
In previous IT/Vendor Management training we were told that we could also classify our vendors as “regulated” and thus minimize the due diligence we were required to perform. The logic was that they are examined by regulators enforcing the GLBA. Credit bureaus, as well as other banks, would be in this category.
Also, I didn’t notice where annual expenditure was a factor in the due diligence process. You might want to factor that into the analysis (or consider establishing a $$ threshold).