Vendor Assessment Guide

Learn how to assess your vendors end-to-end using UpGuard Vendor Risk

Written by David Cook

Step 1 Monitor your new vendor

• Starting in the Vendors tab, select monitor vendor, and search for your vendor by their organisation name or domain name

  ⭐️ Tip: If there are no search results, you can still add your vendor with the blue attempt to scan button below

Step 2 Gather onboarding information

• Use the vendor relationship questionnaire to gather information from the internal business owner

• Questions can be easily customized to suit your initial vendor scoping process

  ⭐️ Tip: Create automation rules to automatically classify vendors based on the business owner's response

Step 3 Classify your vendor

• Add classification information about your vendor using tiers, portfolios, labels, and custom attribute

• These classifications can be used to describe the criticality of the vendor, the types of data they hold, and more

Step 4 Review their risks

• Determine acceptable risks for the vendor in the context of the services they provide you

Step 5 Send a questionnaire

• Choose a questionnaire template from our questionnaire library, such as ISO 27001, NIST CSF, and more

• Send the questionnaire to your vendor to start your vendor due diligence process

  ⭐️ Tip: Set yourself as a recipient to experience the workflow from both sides

Step 6 Answer a questionnaire

• Use the link in your email to answer the questionnaire, or navigate via the platform

• Fill out the questionnaire and see how risks are automatically identified

• Submit the questionnaire and then review the answers from Vendor Risk

Step 7 Add additional evidence

• Capture external compliance or security-related information about your vendor

• Manually identify and include risks from your vendor in their Risk Profile

  ⭐️ Tip: You can request additional evidence from your vendors directly through UpGuard

Step 8 Additional - Issue remediation requests

• Use remediation workflows to engage the vendor on specific risks

Step 9 Additional - Create risk waivers

• Create a risk waiver for any risks with valid compensating controls

Step 10 Complete a risk assessment

• Start a risk assessment for your vendor, choosing assessment scope and evidence sources

• Review outstanding risks, remediation requests, or risk waivers

• Add organizational context and commentary to the assessment

• Export the risk assessment and share it with relevant stakeholders

🌟🧠 Tip! Now that you've mastered it, we recommend evaluating vendors with different scopes and relationships to your organization.

This will give you a better understanding of managing your entire vendor portfolio.