Vendor Reviews

I'm assuming that by "Vendor log" you mean the document or system you use to record and manage your vendors.

Considering that, to identify which vendors should be in your Vendor Log, and under periodic vendor review, you need to perform a risk assessment on your vendors, to identify if they can rise relevant risks that need treatment. Additionally, you need to evaluate the legal requirements you must comply with (e.g., laws, regulations and contracts), to identify if any of them has clauses defining specific vendors or conditions that will require vendors to be logged or reviewed periodically.

These articles can provide further information:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/