Learn how to assess your vendors end-to-end using UpGuard Vendor Risk
Written by David Cook
Step 1 Monitor your new vendor
-
Starting in the Vendors tab, select monitor vendor, and search for your vendor by their organisation name or domain name
⭐️ Tip: If there are no search results, you can still add your vendor with the blue attempt to scan button below
Step 2 Gather onboarding information
-
Use the vendor relationship questionnaire to gather information from the internal business owner
-
Questions can be easily customized to suit your initial vendor scoping process
⭐️ Tip: Create automation rules to automatically classify vendors based on the business owner's response
Step 3 Classify your vendor
-
Add classification information about your vendor using tiers, portfolios, labels, and custom attribute
-
These classifications can be used to describe the criticality of the vendor, the types of data they hold, and more
Step 4 Review their risks
-
Determine acceptable risks for the vendor in the context of the services they provide you
Step 5 Send a questionnaire
-
Choose a questionnaire template from our questionnaire library, such as ISO 27001, NIST CSF, and more
-
Send the questionnaire to your vendor to start your vendor due diligence process
⭐️ Tip: Set yourself as a recipient to experience the workflow from both sides
Step 6 Answer a questionnaire
-
Use the link in your email to answer the questionnaire, or navigate via the platform
-
Fill out the questionnaire and see how risks are automatically identified
-
Submit the questionnaire and then review the answers from Vendor Risk
Step 7 Add additional evidence
-
Capture external compliance or security-related information about your vendor
-
Manually identify and include risks from your vendor in their Risk Profile
⭐️ Tip: You can request additional evidence from your vendors directly through UpGuard
Step 8 Additional - Issue remediation requests
-
Use remediation workflows to engage the vendor on specific risks
Step 9 Additional - Create risk waivers
-
Create a risk waiver for any risks with valid compensating controls
Step 10 Complete a risk assessment
-
Start a risk assessment for your vendor, choosing assessment scope and evidence sources
-
Review outstanding risks, remediation requests, or risk waivers
-
Add organizational context and commentary to the assessment
-
Export the risk assessment and share it with relevant stakeholders
🌟🧠 Tip! Now that you've mastered it, we recommend evaluating vendors with different scopes and relationships to your organization.
This will give you a better understanding of managing your entire vendor portfolio.