Vendor Risk Management (VRM) automates third-party security reviews in Vanta, helping you monitor, assess, and track vendors continuously.
If your organization does not use the VRM add-on, you can still maintain a strong, compliant vendor management program using the Vendors page. This guide explains how to manually conduct and document vendor reviews so your program remains audit-ready and aligned with frameworks such as SOC 2, ISO 27001, HIPAA, and GDPR.
Why Vendor Reviews Matter
Vendor reviews demonstrate that your organization understands and manages third-party risk. Every compliance framework expects you to:
Identify vendors your company relies on.
Evaluate their security posture.
Document the evidence used for evaluation.
Re-evaluate them on a defined schedule.
Even without VRM, you can meet these expectations by performing and documenting reviews through Vanta’s Vendors page.
Pro Tip: A clear, repeatable manual process is viewed by auditors as a sign of maturity. Consistency matters more than automation.
Vendors Page vs. VRM Add-On
Feature | Vendors Page | VRM Add-On |
Record vendors | ✔️ | ✔️ |
Upload security documentation | ✔️ | ✔️ |
Manual risk scoring | ✔️ | ✔️ |
Automated questionnaires & scoring | — | ✔️ |
Continuous monitoring & reminders | — | ✔️ |
If you’re working without VRM, your goal is to replicate these automated checks manually. You’ll perform the same diligence collecting evidence, rating risk, and tracking reviews just without automation.
How to Conduct Manual Vendor Reviews
Classify Vendors by Risk
Assess each vendor’s inherent risk based on:
Access to sensitive or customer data
Connection to core systems or infrastructure
Role in control performance (e.g., processing or storing data for compliance controls)
Best practice:
Critical vendors: review every 6 months.
All other vendors: review at least annually.
Pro Tip: Create an internal “vendor tiering” table to keep your review cadence consistent.
Gather and Evaluate Evidence
Collect documentation that demonstrates your vendor’s security maturity, such as:
SOC 2 Type II or ISO 27001 reports
Security and privacy policies
Penetration test summaries
Data protection agreements or contracts
Check each document for:
Expiration dates
Scope coverage (does it include your region or service?)
Exceptions or outstanding remediation plans
If issues appear like expired reports or missing coverage document them and record a remediation plan in the vendor notes.
Upload Your Review in Vanta
On the Vendors page, add your findings and upload related files.
Include the following fields for each vendor:
Field | What to Include |
Review Date | The date you completed the assessment |
Reviewer | The name or role of the reviewer |
Evidence Reviewed | List of documents or reports uploaded |
Risk Rating | Low / Medium / High |
Notes or Findings | Key takeaways, gaps, or next steps |
Track Expirations and Follow-Ups
Without automation, manual reminders are essential.
Use your calendar or a simple spreadsheet to track:
When each vendor’s documentation expires
When the next review is due
Which vendors have open risk remediation tasks
Assign ownership for each vendor to ensure accountability.
Pro Tip: Include your review cadence in your Vendor Management Policy so it aligns with your compliance documentation.
Uploading Best Practices
To keep your manual reviews organized and complete, use this checklist when updating vendor records:
Task | Description | Frequency |
Upload latest certifications | SOC 2, ISO 27001, PCI, or equivalent | Annually or upon renewal |
Attach key policies | Privacy, data protection, access control, incident response | Annually |
Record review notes | Reviewer name, review date, findings, and risk level | Every review |
Track follow-ups | Add tasks for expiring or missing evidence | Ongoing |
Summarize risk rating | Low / Medium / High | Each review |
Maintaining a Strong Manual Vendor Program
Running vendor reviews manually takes discipline. These best practices help you maintain a credible, sustainable process:
Stay consistent. Use the same review format and cadence for every vendor review to demonstrate a reliable, repeatable process.
Assign ownership. Designate a specific person or team to manage vendor reviews so that responsibility is clear and follow-up actions are completed.
Document evidence clearly. Upload all relevant files and include notes describing what was reviewed, by whom, and when.
Prioritize high-risk vendors. Review vendors that access sensitive data or perform critical services more frequently and with greater depth.
React to changes. If a vendor updates its infrastructure, experiences a security incident, or changes ownership, perform a new review as soon as possible.
Stay transparent. Maintain your review notes and uploaded artifacts so they are easy to reference during audits or internal checks.
Common Risks: Missing annual reviews or allowing SOC 2 reports to expire can create compliance gaps under frameworks like SOC 2 CC9.2 and ISO 27001 A.15.1. Build reminders and accountability into your manual process to avoid these oversights.
Pro Tip: Think of each vendor record as a “mini audit package.” Anyone should be able to open it and understand what was reviewed, when, and by whom.
Preparing for Future Automation
Manual vendor management is a strong foundation for future automation with VRM.
When you’re ready to add VRM, ensure that each vendor record includes:
Completed risk classification and scoring
Uploaded documentation and review notes
Accurate review dates and reviewer names
Clearly assigned vendor owner
This preparation allows your organization to adopt VRM smoothly, with minimal rework.
Pro Tip: If you plan to adopt VRM later, document your manual review cadence and criteria in your policy now. It shows auditors that your program has always been deliberate and structured, not ad hoc.
Quick Reference Checklist
Every vendor reviewed annually
Critical vendors reviewed every 6 months
Risk classification defined for each vendor
Evidence uploaded to each record
Review date and reviewer name documented
Risk rating assigned
Expiration dates tracked
Ownership assigned
Policy includes review cadence and responsibilities
Key Takeaway
Even without the VRM add-on, you can operate a mature, compliant vendor management program in Vanta.
By consistently reviewing, uploading, and maintaining vendor information, your organization demonstrates a strong commitment to security and compliance and builds a foundation ready for automation when the time comes.