This guide is your go-to resource for implementing VRM, from setting up workflows to completing your first security review. Designed for companies with 200 or more employees, this guide ensures your team gets up and running confidently and effectively.
By the end of this guide, you will:
Understand how to classify and manage vendors
Complete a full vendor security review
Automate evidence collection and risk workflows
Save time and gain confidence with Vanta AI support
Interested in learning more? Attend a live training!
VRM Key Terms Glossary
Term | Definition |
VRM (Vendor Risk Management) | A process to identify, assess, monitor, and manage risks associated with third-party vendors. Vanta’s VRM tool streamlines this process using automation, evidence collection, and AI. |
Inherent Risk | The level of risk assigned to a vendor based on factors like data sensitivity and vendor category,before any mitigating controls are applied. Drives automation of reviews and settings. |
Inherent Risk Rubric | A customizable framework used to auto-score vendors based on the type of data they handle and their business function. |
Security Review | A workflow in Vanta used to evaluate a vendor’s security posture by collecting and analyzing evidence, questionnaires, and risks. |
Preferred Evidence | Documents (e.g., SOC 2, ISO 27001, penetration test) that are automatically requested from vendors as part of a security review, based on their risk level. |
Preferred Questionnaire | A standardized set of security questions is automatically sent to vendors during a review. |
Auto-requesting Evidence | A Vanta automation that triggers evidence collection 30 days before a scheduled security review. Requires a vendor contact email and due date. |
Trust Center (Vendor) | A public-facing portal where vendors may host their security documentation. Vanta can pull evidence from vendor Trust Centers during a review. |
Findings | Identified risks or issues discovered during a security review. Can be tracked internally or followed up using Jira integration. |
Residual Risk | The level of risk remaining after mitigating actions or compensating controls have been considered. Set at the end of a security review. |
Discovery Tool | A feature in Vanta that helps identify unknown or unmanaged vendors through integrations with IDPs and MDMs. |
Shadow IT | Technology, software, or systems used within an organization without explicit approval. Discovery helps detect vendors from shadow IT. |
Account Manager (Vendor Contact) | The vendor representative is responsible for receiving evidence or questionnaire requests. A valid email address is required for automations. |
Groups (Access Management) | Teams within your organization that are granted access to vendor records in Vanta. Helpful in managing offboarding and ownership. |
Jira Integration | Connects Vanta to Jira to automatically create tickets for findings or remediation tasks resulting from security reviews. |
API (Application Programming Interface) | Vanta’s programmatic interface allows customers to automate workflows, manage vendors, and integrate with external tools. |
AI Answer Extraction | A Vanta AI capability that scans uploaded documents to answer security questions automatically, saving time during analysis. |
Needs Review Tab | A table view within the VRM dashboard displays which vendors are ready for analysis based on the completion of evidence collection. |
Security Review Cadence | The frequency at which vendors are reviewed, based on their risk level (e.g., annually for high-risk vendors). |
Vanta Exchange | A portal experience where vendors can respond to questionnaires and share evidence directly with customers, supporting collaborative security reviews. |
Compensating Controls | Measures are put in place to mitigate risks when a vendor fails to meet a specific security requirement. Can be flagged as part of a finding. |
30-60-90 Day Plan
Days 1–30: Foundations and Initial Workflows
Goal: Establish operational groundwork and onboard vendor data.
Key Activities:
Assign a VRM owner (typically a member of the GRC, Security, or Procurement team)
Import vendor data from procurement, legal, IT, or finance
Classify vendors by risk level (e.g., high, medium, low) and business criticality
Define your vendor review criteria (e.g., access to sensitive data, compliance impact)
Build initial workflows for vendor onboarding, due diligence, and approvals
Configure notification rules, ownership assignments, and SLA tracking
Train internal stakeholders on vendor classification and review processes
Deliverables:
Vendor inventory loaded and classified by risk tier
Initial workflows created for review processes
Stakeholder training completed
Days 31–60: Launch Reviews and Automate Evidence Collection
Goal: Conduct reviews and reduce manual workload through automation.
Key Activities:
Launch formal security reviews for high-risk vendors (start with a prioritized subset)
Automate the distribution of questionnaires (e.g., SIG, CAIQ) and evidence collection.
Use Vanta AI to analyze documentation (e.g., SOC 2 reports, penetration tests)
Track remediation tasks and assign follow-ups
Refine workflows based on stakeholder feedback
Communicate with vendors to ensure smooth participation in the review process
Deliverables:
Security reviews completed for high-risk vendors
Automated workflows for questionnaires and document analysis in place
Review the feedback loop established
Days 61–90: Optimize and Scale
Goal: Scale the process, generate reporting, and embed VRM in your risk posture.
Key Activities:
Expand reviews to medium- and low-risk vendors based on available capacity
Use dashboards and reporting to track review status, remediation progress, and risk levels
Integrate workflows with tools like JIRA, Slack, or GRC platforms
Hold a retrospective with stakeholders to optimize the process
Formalize your vendor review cadence and update VRM policy documentation
Train backup reviewers and build resilience into your review process
Deliverables:
Scalable, repeatable end-to-end VRM process
Internal reporting package for compliance and leadership
Documented VRM policy and review cadence
By Day 90, your team will be able to:
Classify and assess vendors confidently
Run consistent and automated review workflows
Leverage Vanta AI to reduce manual workload
Demonstrate defensible vendor due diligence for audits and customer assessments
Stage 1: Discovery & Preparation
Key Questions to Answer with your Team:
Do you have a procurement workflow?
Zip: Use Zip integration
Task tracker (e.g., Jira): Set up task tracker integrations
Coupa or ServiceNow: Use Vanta's API and developer docs
No workflow: Use the API to simulate intake forms (e.g., trigger risk scoring from intake data)
Do you use a Shadow IT tool?
If yes, skip vendor Discovery.
If no, use Vanta Discovery with your IDP & MDM. Discovery article
Do you have a list of vendors to import?
Use Vanta's import tool or API. Include:
Vendor category / risk level
Full URL (used to fetch logos and Trust Center data)
Vendor contact email (enables auto evidence requests)
Do you have past security reviews to attach?
For now, upload as PDFs to each vendor's “Evidence” section under “Other Security Assessment”.
Want to track findings in Jira?
Set up the Jira integration
For other tools, use the API for custom workflows
Stage 2: Configuration & Setup
Settings to Configure Before Import
Assign risk levels based on vendor category and data type
Important: Set this before importing vendors
Cadence: How often reviews occur (e.g., yearly for high-risk vendors)
Preferred Evidence: Automatically request SOC 2, ISO, etc.
Preferred Questionnaire: Auto-send standard forms
Automation: Auto-request evidence 30 days before reviews
All settings can be overridden at the vendor level
Saving Time with VRM: What Features Matter Most
Feature | Benefit | How to Use |
Auto-requesting Evidence | Hands-off collection | Works if the preferred evidence & vendor contact email are set |
Pull from Trust Centers | Faster access to SOC2, policies | Automatically pulls from vendor public Trust Centers |
Reuse Old Evidence | Saves time | Helpful if the last SOC 2 is still valid |
AI + Vendor Answer Comparison | Confident decisions | Use a side-by-side view for clarity |
Advanced Configuration (Optional)
Templates: Use custom templates for questionnaires, DPAs, and BAAs
Metadata Management: Define groups, owners, and account managers
Security Owner Assignment: Tag the responsible internal users
Findings Workflow: Integrate with Jira for task follow-up
Stage 3: Complete a Security Review
Follow these steps to complete your first review:
Step | Why it Matters | Pro Tips |
Add a Vendor | Kicks off the workflow | Vendors added through procurement are 30% more likely to be reviewed |
Start a Security Review | Initializes the review process | Add a due date, and you are 13% more likely to complete |
Add Evidence | Essential for AI assistance | Pull from the Trust Center or upload manually |
Send Questionnaire/Evidence Request | Engages vendors | Reviews with responses are 2x more likely to be completed |
Review Answers | AI + vendor answers | Select final answers, flag gaps |
Add Findings | Captures risk | Link findings, create Jira tickets if needed |
Make a Risk Decision | Final assessment | Set residual risk, add summary |
Schedule Next Review | Enables automation | Vanta will auto-request evidence next time |
Ongoing Success
Monitor Security Review Completion: Use the review table to track progress
Use "Needs Review" Tab: Focus on vendors ready for analysisRegularly Update Vendors: Add new vendors monthly or as they come in
Maintain Automation Settings: Keep global settings current
Best Practices for Success
Action | Why it Works |
Start with a strong rubric | Drives automation and consistency |
Add vendors through procurement | Improves completion rates |
Use due dates and automation | Keeps reviews on schedule |
Upload and request evidence | Enables AI and saves time |
Make decisions + plan next review | Completes the workflow loop |