Skip to content
Contact us
  • There are no suggestions because the search field is empty.

Vendor Risk Guide 3: Evaluate and Assess

Evaluate vendors, address risks, and run assessments

This guide discusses functionality from across product plans and may reference functionality not available on your account.

Step 1: Check Security Profile

Remember that you added tiers to each of your vendors? Now, you’ll reap those rewards.

Security Profile evaluates vendors against a set of controls. The vendor's tier determines what controls the vendor is evaluated against with tier 1 vendors checked against a stricter and more comprehensive set of controls vs. tier 4 vendors.

Read more about Security Profile and control templates.

Starting with your tier 1 vendors:

  • Check Security Profile and validate that they’re being evaluated against the correct controls.
  • Remove any controls that don’t apply (we recommend doing this at the template level if appropriate).
  • Check if you’re missing evidence. The goal is to have a green, yellow, or red marker next to each control.
    • If you have green, yellow, or red next to every control: skip to Step 3.
    • If you have 1+ question mark icons next to controls: Add evidence related to that control (if you have it), or continue to Step 2.

If the default Security Profile control templates don’t work for you, skip to the last bullet point in Step 4 for a suggested workflow.  

 

Step 2: Send a gap questionnaire

Even after adding evidence, you might be missing some information you need. Send a gap questionnaire to get that data. The goal is to get you the complete picture, everything you need to be able to evaluate the vendor.

Step 3: Address Risks

As you add evidence, UpGuard begins showing risks so that you can take action. Start with vendors in your most critical tier and work through each risk. For each risk, take one of two actions:

  • Request remediation when there’s a risk that you need the vendor to address. Added benefit? Requesting remediation creates an audit trail showing that you: are aware of a risk, flagged it to the vendor, and wanted it fixed.
  • When remediation is not possible: Waive risks if it’s not actually a risk to you.

Tip: If a vendor has multiple open risks that need to be addressed, you can request remediation in bulk.  

Step 4: Evaluate & run assessments

You've been evaluating vendors as you go, but once you've finished adding evidence and sending questionnaires you can do a more formal evaluation and assessment. As always, start with vendors in your most critical tier and work your way down.

  • New to TPRM: use Security Profile to get an (almost) instant understanding of potential risks and then generate a risk assessment from Security Profile when you’re ready. 
  • Using NIST or ISO frameworks: use Security Profile to compare vendors to NIST and ISO controls and then generate a risk assessment from Security Profile when you’re ready. 
  • Have a mature TPRM process or using a framework other than NIST/ISO: Compare Security Profile controls with your own standards, remove any standards that aren’t applicable, and then send a questionnaire that gathers the additional data you need. Use Security Profile to run the initial assessment and then edit the assessment to add in any details not captured by the default controls. Alternatively, you can run a classic assessment by uploading evidence and writing the full assessment from scratch. 

Up next: Getting Started with Vendor Risk: Part 4