Vendor Assessment Guide

Written by David Cook

Step 1 Monitor your new vendor

Starting in the Vendors tab, select monitor vendor, and search for your vendor by their organization name or domain name

⭐️ Tip: If there are no search results, you can still add your vendor with the blue attempt to scan button below

Step 2 Gather onboarding information

Use the vendor relationship questionnaire to gather information from the internal business owner
Questions can be easily customized to suit your initial vendor scoping process

⭐️ Tip: Create automation rules to automatically classify vendors based on the business owner's response

Step 3 Classify your vendor

Add classification information about your vendor using tiers, portfolios, labels, and custom attribute
These classifications can be used to describe the criticality of the vendor, the types of data they hold, and more

Step 4 Review their risks

Determine acceptable risks for the vendor in the context of the services they provide you

Step 5 Send a questionnaire

Choose a questionnaire template from our questionnaire library, such as ISO 27001, NIST CSF, and more
Send the questionnaire to your vendor to start your vendor due diligence process

⭐️ Tip: Set yourself as a recipient to experience the workflow from both sides

Step 6 Answer a questionnaire

Use the link in your email to answer the questionnaire, or navigate via the platform
Fill out the questionnaire and see how risks are automatically identified
Submit the questionnaire and then review the answers from Vendor Risk

Step 7 Add additional evidence

Capture external compliance or security-related information about your vendor
Manually identify and include risks from your vendor in their Risk Profile

⭐️ Tip: You can request additional evidence from your vendors directly through UpGuard

Step 8 Additional - Issue remediation requests

Step 9 Additional - Create risk waivers

Step 10 Complete a risk assessment

UpGuard offers two types of risk assessments to suit your needs:

⭐️ AI-powered Security Profiles and Instant Risk Assessments: a faster, smarter, and more efficient way to assess vendor risk

- Select and load any evidence you have for a vendor, and use AI to scan evidence and identify risks and gaps, and determine compliance with controls
- Review the vendor’s security profile to determine the level of compliance and identify any risks and gaps
- If required, you can elect to seek further evidence from the vendor to address gaps or risks.
- Use AI to instantly generate a risk assessment report commentary based on your evidence and findings
- Publish a point-in-time risk assessment report
Classic risk assessment: A complete vendor risk assessment framework to assess vendor risk

- Start a risk assessment for your vendor, choosing the assessment scope and evidence sources
- Review outstanding risks, remediation requests, or risk waivers
- Add organizational context and commentary to the assessment
- Export the risk assessment and share it with relevant stakeholders

🌟🧠 Tip! Now that you've mastered it, we recommend evaluating vendors with different scopes and relationships to your organization.

This will give you a better understanding of managing your entire vendor portfolio.

Learn how to assess your vendors end-to-end using UpGuard Vendor Risk