Learn how to assess your vendors end-to-end using UpGuard Vendor Risk
Written by David Cook
Step 1 Monitor your new vendor
-
Starting in the Vendors tab, select monitor vendor, and search for your vendor by their organization name or domain name
⭐️ Tip: If there are no search results, you can still add your vendor with the blue attempt to scan button below
Step 2 Gather onboarding information
-
Use the vendor relationship questionnaire to gather information from the internal business owner
-
Questions can be easily customized to suit your initial vendor scoping process
⭐️ Tip: Create automation rules to automatically classify vendors based on the business owner's response
Step 3 Classify your vendor
-
Add classification information about your vendor using tiers, portfolios, labels, and custom attribute
-
These classifications can be used to describe the criticality of the vendor, the types of data they hold, and more
Step 4 Review their risks
-
Determine acceptable risks for the vendor in the context of the services they provide you
Step 5 Send a questionnaire
-
Choose a questionnaire template from our questionnaire library, such as ISO 27001, NIST CSF, and more
-
Send the questionnaire to your vendor to start your vendor due diligence process
⭐️ Tip: Set yourself as a recipient to experience the workflow from both sides
Step 6 Answer a questionnaire
-
Use the link in your email to answer the questionnaire, or navigate via the platform
-
Fill out the questionnaire and see how risks are automatically identified
-
Submit the questionnaire and then review the answers from Vendor Risk
Step 7 Add additional evidence
-
Capture external compliance or security-related information about your vendor
-
Manually identify and include risks from your vendor in their Risk Profile
⭐️ Tip: You can request additional evidence from your vendors directly through UpGuard
Step 8 Additional - Issue remediation requests
-
Use remediation workflows to engage the vendor on specific risks
Step 9 Additional - Create risk waivers
-
Create a risk waiver for any risks with valid compensating controls
Step 10 Complete a risk assessment
UpGuard offers two types of risk assessments to suit your needs:
- ⭐️ AI-powered Security Profiles and Instant Risk Assessments: a faster, smarter, and more efficient way to assess vendor risk
-
- Select and load any evidence you have for a vendor, and use AI to scan evidence and identify risks and gaps, and determine compliance with controls
- Review the vendor’s security profile to determine the level of compliance and identify any risks and gaps
- If required, you can elect to seek further evidence from the vendor to address gaps or risks.
- Use AI to instantly generate a risk assessment report commentary based on your evidence and findings
- Publish a point-in-time risk assessment report
- Classic risk assessment: A complete vendor risk assessment framework to assess vendor risk
-
- Start a risk assessment for your vendor, choosing the assessment scope and evidence sources
- Review outstanding risks, remediation requests, or risk waivers
- Add organizational context and commentary to the assessment
- Export the risk assessment and share it with relevant stakeholders
🌟🧠 Tip! Now that you've mastered it, we recommend evaluating vendors with different scopes and relationships to your organization.
This will give you a better understanding of managing your entire vendor portfolio.