Skip to main content

Vendor Risk Management

S
Written by Shannon DeLange
Updated over 2 weeks ago
Help Center_Pricing_1 (2).png

For more information about plan types and capabilities, see Vanta's pricing page

With the Vendor Risk Management feature, you can assess and manage Vendors' risks in one centralized location. We recommend setting up your settings before proceeding with the Vendor review process.

Overview

  • From the Vendors page, the Overview tab will give you a visual summary of

    • Security reviews progress

    • Vendors managed

    • Vendor discovery

Discovery

The Vendor discovery page details which vendors are being utilized within your organization and the associated risk level. Vendors are discovered by linking to your organization's identity provider (IDP), which surfaces vendors by monitoring actions like employee logins. For example, vendors accessed using options like 'Sign in with Office' are captured through the IDP and displayed in Discovery.

You can add, reject, or ignore vendors from the Needs Review tab to your Managed Vendors list. Vendors might reappear in the Discovery list if they are accessed again by users or if a new app from the same vendor is detected.

  • Discovered Vendors: Vendors discovered by Vanta that are awaiting action (add, ignore, reject)

  • Ignored Vendors: Vendors you are not leveraging in your tech stack right now; when ignoring a Vendor, you can provide a reason

    • Unexpected Vendors: Internal tools or applications integrated with platforms like Google may also appear in Discovery due to integration data.

    • Uninstalled Applications: Removed applications will no longer appear in subsequent scans unless marked as ignored or rejected.

Screenshot 2024-05-16 at 4.00.06 PM.png
  • Rejected Vendors: Vendors you have fully decided not use in your tech stack

  • Select the three-dot menu on the right-hand side of the vendor, and select Reject if applications previously used are uninstalled, they will not reappear in Discovery unless a new related app is detected or they are accessed again by a user.

Screenshot 2024-05-16 at 4.04.21 PM.png

Bulk Adding or Ignoring Vendors

  • Select the vendor(s) you would like to review, and choose Add or Ignore

Screenshot 2025-02-28 at 4.47.15 PM.png
  • Vendors added will be visible from the Managed vendors tab

  • Additionally, add or ignore individual Vendors by hovering over the Vendor line and selecting the appropriate option

Procurement

Vendor procurement and security reviews provide a critical safeguard by ensuring that potential partners are vetted not only for their business value but also for their ability to meet security, compliance, and privacy standards. This proactive approach minimizes supply chain vulnerabilities, builds customer trust, and supports long-term resilience in an evolving threat landscape.

Procurement requests for new vendors can be managed from the Procurement tab.

  • To add a procurement request, select +Add procurement request

  • Provide a vendor name, category, and assign an owner

  • Complete the Additional details section

  • Select Add Procurement request.

  • Complete the required information, and select Add request

    • Leverage the auto-risk scoring functionality or manually input Risk attributes.

Managed Vendors

Managed vendors are third-party partners that an organization actively oversees and monitors to ensure ongoing compliance with security, privacy, and contractual obligations. Unlike one-time or low-risk suppliers, managed vendors often have deeper access to systems, sensitive data, or critical business processes, making continuous oversight essential.

Vendor Information

From the Managed Vendors tab, you can view risk scores, security review status, security review progress, and also create custom filters.

  • To add vendor information, or complete a view, click directly into the vendor.

  • To manually add a vendor, select Add Vendor

  • Complete the information, and select Save.

Please note: All vendors under the scope of your audit should be listed on the managed vendors page. If a vendor is not automatically populated here due to an integration, you will want to manually add the vendor.

Vendor Information

  • Once you have opened a Vendor from the Managed vendors page, there will be multiple tabs of information.

    • Overview: Previous security reviews and findings

    • About: General vendor information, notes, and custom fields

    • Security reviews: Previous views, and current security reviews

    • Evidence: Evidence collected to determine the security posture of the vendor

    • Findings: Anything noteworthy or potentially work flagging as a security risk

    • Linked apps: Additional linked discover applications

    • Subprocessors: Subprocessors used by the Vendors

Security Reviews

Vendor security reviews are structured evaluations that organizations perform to assess the security practices of their third-party vendors and service providers. These reviews help ensure that external partners handle sensitive data responsibly, comply with regulatory requirements, and maintain security standards that align with the organization’s own policies. By examining factors such as data protection, access controls, incident response, and compliance certifications, vendor security reviews reduce risk exposure, strengthen trust, and safeguard the business from potential vulnerabilities in its supply chain.

Begin the Security Review

  • From the Security review tab click on the vendor you would like to start the security review for.

  • Edit the evidence list, or add additional evidence requests by selecting Edit list or Add

  • Select a due date

  • Review settings

    • Share AI answers with the vendor based on available evidence

    • Automatically ask the point of contact for evidence 30 days the review date

    • Send reminder emails

  • Select Start review

Request Evidence

  • Select request evidence when you are ready to begin requesting documentation from the vendor.

  • Add an email address, or copy the link to send directly to your point of contact.

  • The link will provide the vendor with a dedicated page to upload evidence, and complete security questionnaires. This portal page is called The Vanta Exchange.

Questionnaires

  • Vanta AI will attempt to answer questions from your security questionnaires by reviewing the evidence provided to you by the vendor.

  • Vanta will provided a suggested answer, and wait for your review.

  • If you are comfortable with the suggestion, you can select the check box. If this is something notable, or potentially concerning from a security standpoint, you can select the flag to mark it as a finding.

Add Findings Manually

  • Once you have your evidence for the security review from the vendor, you can start adding findings. Findings help you document any potential security gaps with the vendor or note any other relevant information.

  • From the findings tab select Add.

  • Add any notable findings, and detail your recommended treatment plan

    • Accept risk: decide to live with the risk and take no further actions

    • Mitigate risk: identify a resolution plan to mitigate the finding

    • Not applicable: save this as a notable finding, but do nothing

Add Findings through Vanta AI

  • Vanta can use questionnaires to identify any potential security gaps based on the evidence given to you by the Vendor. These will be marked as Flagged by Vanta, and can be added as a finding.

    Screenshot 2024-07-18 at 5.06.29 PM.png

Activity Tab

  • The Activity tab will detail who

    • Accessed Vanta Exchange

    • Completed review

    • Draft security review created

    • Granted access to domains

    • Marked a decision

    • Reminder sent

    • Removed domains from access

    • Resource marked unavailable

    • Resource requested

    • Resource uploaded

    • Started security review

    • Submitted questionnaire through Vanta Exchange

    • Updated automated evidence request reminder setting

    • Updated automated evidence request setting

    • Updated setting for sharing questionnaires with vendors


Communicate the Decision

When a vendor security review is completed, the reviewing team (often security, compliance, or procurement) reaches a decision about whether the vendor is approved, conditionally approved, or not approved for use.

  • Select Make a recommendation

    • Approved: The vendor has successfully met all security, compliance, and business requirements. No additional action is needed, and the vendor is authorized for use within the organization.

    • Conditionally approved: The vendor can be used, but certain risks or gaps were identified that require remediation or ongoing monitoring. Approval is granted with conditions, such as implementing specific controls, providing additional evidence, or completing remediation within a set timeframe.

    • Not approved: The vendor did not meet the organization’s security, compliance, or business standards, and the risks are deemed too high to move forward. The vendor cannot be used unless significant changes are made and a new review is conducted.

  • Select the next security review date

  • Mark the Review as complete