Vendor Assessment Guide

Learn how to assess your vendors end-to-end using UpGuard Vendor Risk

Written by David Cook


Step 1
Monitor your new vendor

  • Starting in the Vendors tab, select monitor vendor, and search for your vendor by their organization name or domain name

    ⭐️ Tip: If there are no search results, you can still add your vendor with the blue attempt to scan button below

Step 2 Gather onboarding information

  • Use the vendor relationship questionnaire to gather information from the internal business owner

  • Questions can be easily customized to suit your initial vendor scoping process

    ⭐️ Tip: Create automation rules to automatically classify vendors based on the business owner's response

Step 3 Classify your vendor

Step 4 Review their risks

Step 5 Send a questionnaire

  • Choose a questionnaire template from our questionnaire library, such as ISO 27001, NIST CSF, and more

  • Send the questionnaire to your vendor to start your vendor due diligence process

    ⭐️ Tip: Set yourself as a recipient to experience the workflow from both sides

Step 6 Answer a questionnaire

  • Use the link in your email to answer the questionnaire, or navigate via the platform

  • Fill out the questionnaire and see how risks are automatically identified

  • Submit the questionnaire and then review the answers from Vendor Risk

Step 7 Add additional evidence

Step 8 Additional - Issue remediation requests

Step 9 Additional - Create risk waivers

Step 10 Complete a risk assessment

UpGuard offers two types of risk assessments to suit your needs:

    • Select and load any evidence you have for a vendor, and use AI to scan evidence and identify risks and gaps, and determine compliance with controls
    • Review the vendor’s security profile to determine the level of compliance and identify any risks and gaps
    • If required, you can elect to seek further evidence from the vendor to address gaps or risks. 
    • Use AI to instantly generate a risk assessment report commentary based on your evidence and findings
    • Publish a point-in-time risk assessment report 
  • Classic risk assessment: A complete vendor risk assessment framework to assess vendor risk
    • Start a risk assessment for your vendor, choosing the assessment scope and evidence sources
    • Review outstanding risks, remediation requests, or risk waivers
    • Add organizational context and commentary to the assessment
    • Export the risk assessment and share it with relevant stakeholders

🌟🧠 Tip! Now that you've mastered it, we recommend evaluating vendors with different scopes and relationships to your organization.

This will give you a better understanding of managing your entire vendor portfolio.