Additional Evidence
      Back to home
      1. UpGuard Knowledge Base
      2. UpGuard Vendor Risk
      3. Additional Evidence

      What is the additional evidence page?

      Learn about the additional evidence section which allows you to capture and review documents links to help you assess your vendors.

      While our automated scanning and UpGuard's security questionnaires are key tools for assessing your vendors, existing documentation and information publicly available on a vendor's website can often provide a lot of useful information to help you assess your vendors.

      The additional evidence page helps you to capture, store and review both security or compliance-related documentation, and links to publicly available security information.

      Using additional evidence documents as part of your vendor risk assessment can help make them more comprehensive and efficient.

      Additional evidence: security and compliance documentation

      Organizations that have undergone an audit or security review may have existing certificates, audit reports, questionnaires or other documentation that demonstrate a level of compliance, and/or provide significant detail about their security policies and procedures. These documents can provide insights into the vendor's security posture and attack surface, and can support (or in some cases may even alleviate) the need for sending a security questionnaire.

      Some suggestions for useful documentation to include as additional evidence are: SOC 1 or SOC 2 reports, ISO 27001 certificates, audit reports, penetration test results, or breach or incident disclosure details.

      You can capture and store this security or compliance-related documentation in UpGuard and add any identified risks.

      To learn more about how to use this feature see How to capture additional evidence.

      Additional evidence: trust, privacy and security pages

      Many organizations have detailed trust, privacy and security pages on their websites, including details of their security procedures, policies and certifications and links to key reports and certificates. These provide useful information to help you assess and understand the risk and maturity level of an organization.

      UpGuard stores trust and security pages against each organization, to make it easier to source, access and review this information when performing vendor risk assessments.

      To learn more about this feature go to How to use trust and security pages in UpGuard.