Feature availability: This article discusses Third Party Risk Management features, which may require an upgrade or add-on. Refer to Vanta Plans and Pricing for details.
Security Questionnaires
A security questionnaire is a document or survey used by organizations to assess the security practices, policies, and overall security posture of a potential vendor, partner, or other third party.
These questionnaires typically contain questions designed to evaluate the entity's approach to protecting data, managing risks, and adhering to industry standards and regulatory requirements. Leverage Vanta's prebuilt security questionnaire, or upload your own.
You can upload a new questionnaire from the Vendor's settings page by selecting +Add questionnaire.
Upload files up to 50 MB of the following types: .xls, .xlsx
Select Import questions.
Include a questionnaire name and description.
Select Continue to upload your questionnaire.
You can also use Vanta's default questionnaire, crafted by Vanta's security team
Managing Questionnaires
Select the three-dot menu on the right.
From there, you can:
Duplicate the questionnaire
Configure visibility of the questionnaire
Delete the questionnaire
Vanta AI Templates
Import your predefined question templates for Vanta AI to answer automatically. If you would like help crafting questions, use our TPRM AI guide.
From the Settings page, select Add new questionnaire
From there select one of the templates in the Use a Vanta questionnaire section
You can Add a new template or take advantage of Vanta's default template
If you would like to use Vanta's template and build upon it, select the three-dot menu and choose Duplicate template.
If you would like to delete any custom templates, select the three-dot menu and choose Delete template
Inherent Risk Rubric
The Inherent Risk Rubric Customization feature is part of our Third-Party Risk Management (TPRM) product. With auto risk scoring, each vendor will receive a score that reflects the level of risk they pose to your organization based on the criteria you have established. This can help you make more informed decisions about vendor selection, risk mitigation, and ongoing Vendor management.
From the left-hand navigation panel, select Vendors
Open the Settings page and select the Inherent Risk Rubric tab
Select Edit this rubric
Risk Rubric Sections
Editing a Default Section
The default sections can be edited by selecting the pencil icon
Edit the name and choose if you would like the section to be enabled by toggling it on
Select Save
Adding a Custom Attribute
Select the + icon in the default section
Add a name, status (enabled or not enabled), description, and score, and map it to any relevant vendor categories.
Select Save
Creating a Custom Section
Select + Add new section
Provide a section name, and add any custom attributes you would like listed under the section.
Add a description and score to each new attribute
Select Save
Security Review Risk Scoring
Once a security review has begun, you can leverage the auto-risk scoring or manually assign a risk level to the vendor.
Open the Vendor review and select the pencil icon next to Inherent risk
From here, you can manually assign risk by choosing the edit drop-down
Or
You can leverage the auto-score by toggling Auto-score based on risk attributes and inherent risk auto-score configuration to on
If you are using auto-scoring, complete the Risk attributes section to provide enough context for calculating the score.
Security Review Rules
Frequency & Preferred Evidence
From the VRM settings, you can set default evidence requirements when requesting vendor documentation based on the vendor's risk level.
Select Edit
Select the review frequency from the dropdown and any preferred pieces of evidence. Vanta will default to these preferences, but items can be added or removed during the vendor review.
Select Save
Custom Resource Types
You can create and manage your own resource types. Resource types added here or during a security review will appear in this list.
To manage custom resource types:
Under the Vendors section of your account navigation, go to the Settings page.
Open the Security review rules tab and scroll to Custom resource types.
Click Add resource type and enter a document name, like architecture diagram.
Click the ••• moremenu to edit or delete an existing resource type—this will not impact existing security reviews.
Custom Vendor Fields
From the Custom Vendor Fields tab in your settings, you can create custom attributes to help track information and details about your vendors.
Once a custom field is added to the settings page, the field will be visible in the Vendor's details.
Select Add custom field
Add the label and description
Choose the field type
Date
Number
Multi-select
Text
Select Add
Vendor Intake Form
On the Settings page, you can set up an intake form to collect vendor procurement requests directly in Vanta. Only one intake form is supported per Vanta workspace.
Editing the Intake Form
You can customize the vendor intake form from Vendor settings, where you define the questions used to collect basic vendor information. The form supports standard vendor fields and any custom vendor fields configured for your organization.
To edit the vendor intake form:
Under the Vendors section of your account navigation, go to the Settings page.
Go to the Intake form tab and click Edit form.
Customize the form instructions, or leave them blank.
Customize the text for the default questions.
Click the + add icon to add new questions.
Map to vendor field: Use the drop-down menu at the top of the question to choose the standard vendor field to map to. Options: Category, auth method, vendor headquarters, contact name, contact email, security owner email, or business owner email.
Custom question: Use the drop-down menu at the top of the question to choose the field type. Options: Short text, long text, number, date, single-select, or multi-select.
At the top of the page, click the Save changes button. Once saved, you can also click the Preview form button to see how it looks.
Once you’re done, return to the Intake form tab and turn on Enable intake form.
Sharing the Intake Form
At the top of the Vendors page next to the Edit intake form button, click the down arrow ▼ and select Copy link.
Any logged-in user can access the Vendor intake form in their account navigation.
Reviewing Submissions
When someone submits the form, a vendor record is created in your vendor list in the Procurement status.
Based on how the submitter answers the intake form questions, Vanta automatically assigns an inherent risk score to the vendor using your inherent risk rubric.
If the security owner email field was mapped, they'll get a notification about the new request.
If the business owner email field was mapped, they'll get notifications on the status of the request.