For more information about plan types and capabilities, see Vanta's pricing page
With the Vendor Risk Management feature, you can assess and manage Vendors' risks in one centralized location. We recommend setting up your settings before proceeding with the Vendor review process.
Overview
From the Vendors page, the Overview tab will give you a visual summary of
Security reviews progress
Vendors managed
Vendor discovery
Discovery
The Vendor discovery page details which vendors are being utilized within your organization and the associated risk level.
You can add, reject, or ignore vendors from the Needs Review tab to your Managed Vendors list.
Discovered Vendors: Vendors discovered by Vanta that are awaiting action (add, ignore, reject)
Ignored Vendors: Vendors you are not leveraging in your tech stack right now; when ignoring a Vendor, you can provide a reason
Rejected Vendors: Vendors you have fully decided not use in your tech stack
Select the three-dot menu on the right-hand side of the vendor, and select Reject
Adding or Ignoring Vendors
Select the vendor(s) you would like to review, and choose Add or Ignore
Vendors added will be visible from the Managed vendors tab
Additionally, add or ignore individual Vendors by hovering over the Vendor line and selecting the appropriate option
Procurement
Procurement requests for new vendors can be managed from the Procurement tab.
To add a procurement request, select +Add procurement request
Provide a vendor name, category, and assign an owner
Complete the Additional details section
Select Add Procurement request.
To begin the review, select Start
Make any necessary changes to the information and select Continue to inherent risk scoring.
Leverage the auto-risk scoring functionality or manually input Risk attributes.
Begin the security review.
Security Reviews
Click on the vendor you would like to start the security review for
Select the Security reviews tab
Open the security review
From here, you can gather evidence by selecting Add evidence
From the drop-down, you can upload evidence directly from your desktop or link out to another location.
If you do not have the Vendor evidence readily available, you can share the evidence request link directly with the vendor by selecting Share.
You can send an email to the address from the Vendor details section, or you can copy the link and send it directly to your contact.
Once the vendor opens the link, they can upload evidence directly into the portal, which will then be brought to you in Vanta.
Add Findings
Once you have your evidence for the security review from the Vendor, you can start adding findings. Findings help you document any potential security gaps with the vendor or note any other relevant information.
To create a finding, select + Add from the Findings tab
Add any notable findings, and detail your recommended treatment plan
Accept risk: decide to live with the risk and take no further actions
Mitigate risk: identify a resolution plan to mitigate the finding
Not applicable: save this as a notable finding, but do nothing
Using Vanta AI, any answers to the security questionnaire that do not meet your security standards can be added as a finding.
You can also add findings by selecting the + Add finding button
Here, you can detail the findings, as well as a Risk treatment plan
Once all of your findings have been identified, it's time to make a final decision
Communicate Decision
Make a final decision
Approved
Conditionally approved
Not approved
Mark the Review as complete
Moving Vendors from Discovery to Procurement
To ensure vendors go through a formal review before being moved to Managed Vendors, you can now transfer vendors from Discovery to Procurement.
Navigate to the Discovery tab from the Vendors menu.
Find the vendor you want to assess.
Click Move to Procurement.
The vendor will now appear under the Procurement tab for review.
After review, move the vendor to Managed Vendors if approved.
This feature ensures vendors follow a structured approval process before being marked as actively used.