Feature availability: While the Vendors page is included on all plans, some Third Party Risk Management features are only available as an add-on. Refer to Vanta Plans and Pricing for details.
Vendor security reviews are a part of Third Party Risk Management in Vanta, helping your organization evaluate vendors. In Vanta, you create questionnaires and control when and how assessments happen based on vendor risk. These settings allow you to apply consistent standards and keep a clear, audit-ready record of decisions for vendors that handle sensitive data or support critical business processes.
Accessing vendor assessments
You can access any in progress or completed vendor assessments in two places within your Vanta account. You can’t make any edits to completed assessments.
Assessments page
Assessments page
Under the Vendors section of your navigation, open the Assessments page to view and manage assessments across all vendors in your organization.
Use the tools above the table to search, filter, and sort your list.
Click the controls icon at the top-right of the vendor list to customize the table view—you can choose what columns to display in the table, or change the density size of the table rows.
Vendor profiles
Vendor profiles
All assessments linked to the same vendor are centralized within the vendor’s profile in the Assessments tab.
If a vendor has not started a specific assessment type (for example, a security assessment, privacy assessment, or legal assessment), you can start that assessment from here.
If there’s an assessment in progress (such as a security assessment), you can access and continue it from here.
Only one assessment per type can be in progress for a vendor at a time (for example, one active security assessment), but vendors can have different assessment types in progress simultaneously.
If multiple assessments have been completed for a vendor, you’ll see a history of past assessments by type to view or download.
Assessment rules
Assessment rules control how vendor assessments are structured, scheduled, and automated across your organization. They use a vendor’s inherent risk score to determine assessment frequency, questionnaires, evidence requirements, and apply across vendors to keep assessments consistent while still allowing individual assessments to be adjusted when needed.
Vanta can automatically schedule recurring assessments based on your assessment rules. About 30 days before an assessment’s due date, the next assessment is created and moved to in progress. At this point, Vanta can begin requesting evidence and sending reminders, depending on your automation settings.
Assessment types and preferences
Assessment types and preferences
You can create custom assessment types to support different assessment workflows across your organization.
Vanta provides several default assessment types to support common assessment workflows, including security, privacy, AI, legal, finance, and ESG. You can edit the name, description, and default owner for any assessment type.
You can also create custom assessment types to support additional assessment workflows. Each assessment type can have its own frequency, questionnaire, evidence requirements, and automation settings based on vendor risk.
The Security assessment type cannot be deleted, but all other default types can be edited or deleted.
Frequency and preferred evidence
Frequency and preferred evidence
You can set the default assessment frequency and evidence requirements based on a vendor's inherent risk score.
To manage frequency and preferred evidence:
In your account header, click the Settings icon.
In the Settings page menu, scroll to the Features section, select Vendors.
Open the Assessment rules tab.
Hover over a risk score and click Edit.
Choose the preferred documentation, preferred questionnaire, and assessment frequency from the dropdown.
Click Save. Changes apply to new assessments only.
Repeat for each risk score as desired.
When a new assessment is created for a vendor, the appropriate questionnaire and resources will automatically apply by default, but you can override this at any time within the individual assessment—manually select the next due date and evidence list to override this.
Custom resource types
Custom resource types
You can create and manage your own resource types. Resource types added here or during an assessment will appear in this list.
To manage custom resource types:
In your account header, click the Settings icon.
In the Settings page menu, scroll to the Features section, select Vendors.
Open the Assessment rules tab and scroll to Custom resource types.
Click Add resource type and enter a document name, like architecture diagram.
Click the ••• more menu to edit or delete an existing resource type—this will not impact existing assessments.
Automations
Automations
You can set up automated rules for assessments at the global level, vendor level, and assessment level. Use the following table to understand which settings are available at each level:
Level | Setting | Description |
Global | Automatically start security reviews (always on) | Vanta will automatically start recurring assessments and begin gathering evidence 30 days before the due date. Recurring assessments are created based on your inherent risk rubric. |
Global, Assessment | Auto-fill vendor answers with AI to save time (or show AI answers to vendor) | Share AI answers with the vendor based on all available evidence and highlight the questions that still need their input. This allows vendors to use Vanta AI when answering your questionnaire in the Vanta Exchange portal. |
Global, Vendor | Automatically ask vendors for evidence (or automatically ask point of contact for evidence) | We'll ask vendors to submit evidence 30 days before the assessment due date for renewals. Scheduled emails can be cancelled at any time. By default, we’ll use the assessment frequency and preferred evidence requested based on your settings. In the Evidence request email column of your assessment list, you can see when the next evidence request is scheduled to be sent or if the request is blocked due to missing vendor contact information. |
Vendor | Send reminder email | Email sent to point of contact every 5 days until all requested evidence is fulfilled. The point of contact emailed is the one listed in your vendor details. |
Global-level settings
In your account header, click the Settings icon, scroll to the Features section, and select Vendors. Open the Assessment rules tab and scroll to Automations. Changes apply for vendors on future assessments only.
Vendor-level settings
Open the vendor details page and click the more ••• menu to locate the option to Manage assessment settings. Changes apply for the vendor on the current and future assessments.
Assessment-level settings
Open an assessment and click the more ••• menu to locate the option to Manage assessment settings. Changes apply to this specific assessment only.
Creating questionnaires
Questionnaires are used during assessments to collect consistent information from vendors. In Vanta, questionnaires are created and managed separately from individual assessments so they can be reused and applied consistently across vendors. Changes you make won’t impact any questionnaires already added to assessments such as security assessments.
Using the questionnaire builder
Using the questionnaire builder
You can build a questionnaire from scratch, edit a template created by Vanta’s Security team, or edit a questionnaire you imported using the questionnaire builder.
To use the questionnaire builder:
In your account header, click the Settings icon.
In the Settings page menu, scroll to the Features section, select Vendors, and go to the Questionnaires tab.
Click to open a questionnaire from your list, or click the Add new questionnaire button to get started.
Edit the template:
Click the title to update the name of the questionnaire.
Change visibility depending on whether you’re sending this questionnaire to vendors or using it internally only.
Drag and drop to reorder questions in the question list.
Click the + button to add new questions. Options: Text response or Yes/No/NA.
When using Yes/No/NA, you can add conditional logic to ask the vendor a follow up question depending on their answer.
When you’re done, click Back to settings and you’ll see the questionnaire at the top of your list. You may need to refresh the page.
Using Vanta questionnaires
Using Vanta questionnaires
You can get started from one of Vanta’s questionnaires and customize the template to suit your unique needs. Once you select a template, we'll drop you into the questionnaire builder where you can make further changes.
To use a Vanta questionnaire:
Click the Add new questionnaire button and select one of the Vanta questionnaires.
Edit the template using the questionnaire builder.
When you’re done, click Back to settings and you’ll see the questionnaire at the top of your list. You may need to refresh the page.
Importing questionnaires
Importing questionnaires
You can upload your own questionnaire from a spreadsheet. Once you import your questions, we'll drop you into the questionnaire builder where you can make further changes.
To import a spreadsheet:
Click the Add new questionnaire button and select Import questions.
Enter a name and description to continue.
Review the instructions and click the Download Excel template button.
Your spreadsheet should have two columns: Question and Question Type.
The value for Question Type should be either Text response or Yes/No/NA.
Upload files up to 50 MB of the following types: .xls, .xlsx
When you’re ready, upload the file. Review your import, especially rows with issues, then click the Import button.
Edit the template using the questionnaire builder.
When you’re done, click Back to settings and you’ll see the questionnaire at the top of your list. You may need to refresh the page.
Managing your questionnaire list
Managing your questionnaire list
You can take the following actions from your questionnaire list:
Click a questionnaire from your list to open the questionnaire builder and make any edits.
Click the more ••• menu to the right of the questionnaire to duplicate, configure visibility, or delete.
Conducting assessments
Conduct assessments (such as security assessments) by requesting evidence from vendors, reviewing answers, and making a recommendation to finalize the assessment.
Requesting evidence: As part of conducting an assessment, you’re going to request evidence for the vendor to provide. For example, for a security assessment, this includes sending the vendor a security questionnaire, as well as resources related to their security posture.
Reviewing answers: Once your vendor provides the evidence you requested, you’ll need to review the answers provided to the questionnaire, as well as flag any findings that might need remediation.
Making a recommendation: When you’re ready to finalize your assessment, you’ll record a recommendation and residual risk to capture the outcome of your assessment and document the decision.
Learn more: Conducting Vendor Security Assessments
Making a vendor decision
After completing one or more assessments for a vendor, you can make a final decision at the vendor level. The vendor decision brings together recommendations from each assessment, along with any additional business or procurement context, to determine whether the vendor should be approved for use.
To make a vendor decision, open the vendor profile and click the Make decision button. You’ll choose from one of the following recommendation options, as well as provide the residual risk score:
Decision | Description |
Approved | The vendor is approved for use. Any identified risks are acceptable based on the overall evaluation. |
Conditionally approved | The vendor is approved with conditions. Follow-up actions, mitigations, or monitoring may be required before or during use. |
Not approved | The vendor is not approved due to unacceptable risk or unmet requirements. |
The vendor decision represents the final outcome for that vendor, informed by all assessments. You can also include a decision summary to document context, conditions, or rationale for audit and future reference.