How to capture additional evidence

While we recommend that you use UpGuard's security questionnaires and automated scanning tools to assess your vendors, in some situations you may need to capture additional evidence about a vendor.

For example, you may send an UpGuard questionnaire to a large SaaS vendor only to be directed to a page on their website that proactively publishes complete security questionnaires, audit reports, and certificates. These documents can provide insights into the vendor's security posture and attack surface.

Our additional evidence feature allows you to capture and store this security or compliance-related documentation and any identified risks. Once identified, you can choose to include these risks in the vendor's risk profile, and cite them as part of your risk assessment for a vendor.

Note: There is a maximum file size of 10 MB on each upload.

Capturing additional evidence

Step 1: Monitor the vendor

Before you can capture evidence, you need to be monitoring the vendor. If you aren't currently monitoring the vendor, you can learn how to monitor them here.

Step 2: Select the vendor

If you're already monitoring them, you can find the vendor by clicking on the "Vendors" section under Vendor Risk in the sidebar.

In the example below, I've chosen example.com as the vendor and clicked on "Additional Evidence".

Step 3: Upload a new document

To get started, you can either:

1. Click "Upload new document"; or

2. Drag a file into the upload box.

Step 4: Name additional evidence

It's time to:

1. Name the additional evidence: By default, it is the name of the uploaded document with the date appended to the end.

2. Choose a document type: Choose between a questionnaire, SOC 2 report, ISO 27001 certificate, audit report, or other.

3. Record any comments: If necessary, leave your comments on the document by clicking on the comments section.

4. Name the document you uploaded: By default, it is the file-name of the uploaded document and its extension

Step 5: Capture identified risks

Now that you've named, labeled, and commented on your document, it's time to add identified risks by clicking "Add risk".

From here, follow the steps to add a specific risk to the document. You can either choose to use a previously created risk type or create a new one. In the screenshot below, I've chosen one that was previously created.

To create a new risk type, click on the observation text box and type your risk and click create:

From here, you'll need to enter the impact/consequence of the risk as well as its severity. When you're done, click "Add Risk".

Repeat this step as necessary until you've added all identified risks.

Step 6: Choose to include or exclude identified risks

Toggle to the right if you want to include the identified risks in the vendor's risk profile.

If included the finding, severity, and impact are displayed in the vendor’s risk profile.

And you will be able to cite the information inside our risk assessment feature under supporting evidence.

Additional resources

• What is the Vendors section?

• What is included in a vendor's vulnerabilities?

• How to generate a vendor risk report

• What details can UpGuard Vendor Risk provide about a vendor?

• How to add a new vendor

• How to remove a vendor

• What is the difference between an instant report and a monitored vendor?

• How to complete a risk assessment