Feature availability: While the Vendors page is included on all plans, some Third Party Risk Management features are only available as an add-on. Refer to Vanta Plans and Pricing for details.
Vendor security reviews are a part of Third Party Risk Management in Vanta, helping your organization evaluate vendors. In Vanta, you create questionnaires and control when and how reviews happen based on vendor risk. These settings allow you to apply consistent standards and keep a clear, audit-ready record of decisions for vendors that handle sensitive data or support critical business processes.
Accessing security reviews
You can access any in progress or completed vendor security reviews in two places within your Vanta account. You can’t make any edits to completed security reviews.
Security reviews page
Security reviews page
Under the Vendors section of your navigation, open the Security reviews page to view and manage security reviews across all vendors in your organization.
Use the tools above the table to search, filter, and sort your list.
Click the controls icon at the top-right of the vendor list to customize the table view—you can choose what columns to display in the table, or change the density size of the table rows.
Vendor profiles
Vendor profiles
All the security reviews linked to the same vendor are centralized within the vendor’s profile in the Security reviews tab.
For new vendors that haven’t completed a security review before, you can start a security review from here.
If there’s a security review in progress, you can access and continue that review from here.
Only one security review can be in progress for a vendor at a time.
If you have completed multiple security reviews for a vendor, you’ll see a history of all past reviews to view or download.
Security review rules
Security review rules control how vendor security reviews are scheduled and what’s required for each review. They use a vendor’s inherent risk score to determine review frequency, questionnaires, and evidence requirements, and apply across vendors to keep reviews consistent while still allowing individual reviews to be adjusted when needed.
Vanta automatically schedules recurring security reviews based on your security review rules. About 30 days before a review’s due date, the next review is created and moved to in progress. At this point, Vanta can begin requesting evidence and sending reminders, depending on your automation settings.
Frequency and preferred evidence
Frequency and preferred evidence
You can set the default security review frequency and evidence requirements based on a vendor's inherent risk score.
To manage frequency and preferred evidence:
Under the Vendors section of your account navigation, go to the Settings page.
Open the Security review rules tab.
Hover over a risk score and click Edit.
Choose the preferred documentation, preferred questionnaire, and security review frequency from the dropdown.
Click Save. Changes apply to new security reviews only.
Repeat for each risk score as desired.
When a new security review is created for a vendor, the appropriate questionnaire and resources will automatically apply by default, but you can override this at any time within the individual security review—manually select the next due date and evidence list to override this.
Custom resource types
Custom resource types
You can create and manage your own resource types. Resource types added here or during a security review will appear in this list.
To manage custom resource types:
Under the Vendors section of your account navigation, go to the Settings page.
Open the Security review rules tab and scroll to Custom resource types.
Click Add resource type and enter a document name, like architecture diagram.
Click the ••• more menu to edit or delete an existing resource type—this will not impact existing security reviews.
Automations
Automations
You can set up automated rules for security reviews at the global level, as well as manage individual security review settings.
Global: Under the Vendors section of your account navigation, go to the Settings page. Open the Security review rules tab and scroll to Automations. Changes apply for vendors on future security reviews only.
Individual: Open the security review and click the more ••• menu to locate the option to manage security review settings. Changes apply for the vendor on the current and future security reviews.
You can enable or disable automations, depending on whether you’re managing the global or individual automation settings:
Setting | Description |
(Global) Automatically start security reviews | Vanta will automatically start recurring security reviews and begin gathering evidence 30 days before the due date. Recurring reviews are created based on your inherent risk rubric. |
(Global) Auto-fill vendor answers with AI to save time (Individual) Show AI answers to vendor | Share AI answers with the vendor based on all available evidence and highlight the questions that still need their input. This allows vendors to use Vanta AI when answering your questionnaire in the Vanta Exchange portal. |
(Global) Automatically ask vendors for evidence (Individual) Automatically ask point of contact for evidence | We'll ask vendors to submit evidence 30 days before the security review due date for renewals. Scheduled emails can be cancelled at any time. By default, we’ll use the security review frequency and preferred evidence requested based on your settings. In the evidence request email column of your security reviews list, you can see when the next evidence request is scheduled to be sent or if the request is blocked due to missing vendor contact information. |
(Individual) Send reminder email | Email sent to point of contact every 5 days until all requested evidence is fulfilled. The point of contact emailed is the one listed in your vendor details. |
Creating questionnaires
Questionnaires are used during security reviews to collect consistent security information from vendors. In Vanta, questionnaires are created and managed separately from individual reviews so they can be reused and applied consistently across vendors. Changes you make won’t impact any questionnaires already added to security reviews.
Using the questionnaire builder
Using the questionnaire builder
You can build a questionnaire from scratch, edit a template created by Vanta’s Security team, or edit a questionnaire you imported using the questionnaire builder.
To use the questionnaire builder:
Under the Vendors section of your account navigation, go to the Settings page and open the Questionnaires tab.
Click to open a questionnaire from your list, or click the Add new questionnaire button to get started.
Edit the template:
Click the title to update the name of the questionnaire.
Change visibility depending on whether you’re sending this questionnaire to vendors or using it internally only.
Drag and drop to reorder questions in the question list.
Click the + button to add new questions. Options: Text response or Yes/No/NA.
When using Yes/No/NA, you can add conditional logic to ask the vendor a follow up question depending on their answer.
When you’re done, click Back to settings and you’ll see the questionnaire at the top of your list. You may need to refresh the page.
Using Vanta questionnaires
Using Vanta questionnaires
You can get started from one of Vanta’s questionnaires and customize the template to suit your unique needs. Once you select a template, we'll drop you into the questionnaire builder where you can make further changes.
To use a Vanta questionnaire:
Click the Add new questionnaire button and select one of the Vanta questionnaires.
Edit the template using the questionnaire builder.
When you’re done, click Back to settings and you’ll see the questionnaire at the top of your list. You may need to refresh the page.
Importing questionnaires
Importing questionnaires
You can upload your own questionnaire from a spreadsheet. Once you import your questions, we'll drop you into the questionnaire builder where you can make further changes.
To import a spreadsheet:
Click the Add new questionnaire button and select Import questions.
Enter a name and description to continue.
Review the instructions and click the Download Excel template button.
Your spreadsheet should have two columns: Question and Question Type.
The value for Question Type should be either Text response or Yes/No/NA.
Upload files up to 50 MB of the following types: .xls, .xlsx
When you’re ready, upload the file. Review your import, especially rows with issues, then click the Import button.
Edit the template using the questionnaire builder.
When you’re done, click Back to settings and you’ll see the questionnaire at the top of your list. You may need to refresh the page.
Managing your questionnaire list
Managing your questionnaire list
You can take the following actions from your questionnaire list:
Click a questionnaire from your list to open the questionnaire builder and make any edits.
Click the more ••• menu to the right of the questionnaire to duplicate, configure visibility, or delete.
Conducting security reviews
Conduct security reviews by requesting evidence from vendors, reviewing answers, and making a recommendation to finalize the review.
Requesting evidence: As part of conducting a security review, you’re going to request evidence for the vendor to provide. This includes sending the vendor a security questionnaire, as well as resources related to their security posture.
Reviewing answers: Once your vendor provides the evidence you requested, you’ll need to review the answers provided to the security questionnaire, as well as flag any findings that might need remediation.
Making a recommendation: When you’re ready to finalize your security review, you’ll record a recommendation and residual risk to capture the outcome of your assessment and document the decision.
Learn more: Conducting Vendor Security Reviews