Whether you’re using the standard or Advanced versions of Vendor Risk Management we recommend getting started with reviews the same way.

Once you have added and assessed the risk levels of your vendors to your organization (more information on how to accomplish these actions here), we’ll begin by creating our first review schedule, and then configuring a question set to standardize our analysis of a vendor. We’ll then walk through your first risk review.

What are review schedules

Review schedules let you batch together your vendors into a repeating cycle to make sure that you’re monitoring their security practices regularly. How often you conduct these reviews is a matter of compliance with your security frameworks (some may require reviews more often than others) and your company’s risk policy. Automating these review cycles makes certain that you’ll continue to pass the associated vendor review tests for your security framework in Secureframe.

Standard TPRM, which comes with Comply Fundamentals plans, gives you access to one review schedule out of the box. If you’d like to configure more schedules, for example if you’d like to review different sets of vendors on various frequencies, talk to your account manager about upgrading to Advanced TPRM. Advanced TPRM lets you create an unlimited number of recurring schedules.

Most customers use review schedules to ensure they review high risk vendors on an annual cadence.

Question sets

Before creating your first schedule, let's create any necessary internal / external question sets. Internal question sets are answered by your team (internally) and external question sets (i.e. vendor questionnaires) are sent to your vendor during a review.

If your organization has a team of reviewers looking into your vendors’ risk profiles, it’s a great idea to standardize your analysis with templated security review questions to make sure you’re reviewing each vendor thoroughly and in the same way. Secureframe provides a default set of questions out of the box, but you can customize this question set or create your own.

To create or modify question sets, click the "Configure reviews" button on the top right of the vendors page.

Once you've created any need question sets, you are ready to create your review schedule.

Creating our first schedule

• From the "Question Sets" tab Navigate to the "Review schedules" tab
• Then, we’ll click on the Create Schedule button

• The first step of creating a review schedule is naming your schedule and determining the start date and cadence of the review. Use the "projected reviews" panel to ensure you are configuring your review schedule correctly.

• On the next page you will select the question sets and required documents in the schedule.
  • Internal question set: these are questions that will be answered by your internal team during a vendor security review.
  • Vendor questionnaire: these are questions that will be automatically sent to your vendor contact when you security review is created. Your vendor will be able to answer these questions and submit them in our vendor portal.
  • Requested documents: if you want your vendor to upload any specific document during the review, you can add one or more "requested documents" with instructions for your vendor contact.
• On the final page, you will choose the vendors in this schedule.

You now have your first active review schedule! On the review schedule page you can see when the next review will begin.

Next Review Starting

On the "Review schedules" table, there is a "Next review starting on column." Each review will "kick-off" / be created on the date specified in this column. If there are external questions sets and/or requested documents in your schedule, your vendor contact will receive a vendor portal email automatically when the review is created.

On the main vendors table you can also see the review status for each vendor.

Handling your first vendor review

If your organization does not already have a standard process for reviewing vendor risk, this is a great opportunity to lay the groundwork.

When you start a new vendor review, you’ll see a screen that looks like the one below.

• The Summary tab contains an overview of key notes and findings on a vendor
• The Risk Level tab is where you indicate the level of risk for risk subcategories and the data relevant to the vendor
• The Documents tab is meant to house documentation related to this review, such as compliance reports and attestations
• The Internal Review tab contains any configured security review questions for this vendor (as detailed above in the section called “Set up a security review question set in Templates”)

We’ve designed the application to be flexible to accommodate most review practices. If you’re unsure how or what to do on your risk reviews, please reach out to your Secureframe customer success manager to get in touch with our compliance team for advice. You can then build checklists or questions into the Review question set on each vendor review to align to your risk management plan.

This aside, the goal of your security review should be to elicit any findings relevant to the risk profile of a vendor. Here are some basic questions you may want to consider:

• Are they compliant with security frameworks? If so, which ones? If not, is this a problem if they interact with important services or data for your company?
• Can the vendor prove their compliance with relevant reports from auditors?
• Were there any findings or notes from the auditor in these reports that should concern you or your business? For example, are there notes from auditors in their reports that mention dubious security practices around handling of customer data? If so, is this vendor processing your own customers’ data and might this be an issue?

When you generate findings, these should represent areas of concern or items that you may want to chat with your vendor about. If these cannot be resolved or will remain outstanding beyond the period of your review, you may consider adding these as risks to your risk register. It’s always a good idea to check prior reviews of a vendor to see if there are any findings that you should revisit with your vendor contact.

Otherwise, at a minimum, we recommend obtaining, reading, and storing the most recent key compliance documentation related to your vendor, such as their SOC 2 Type I or II reports or ISO 27001 certificates by uploading these in the Documents tab.

If you have configured security review questions for this vendor, ensure that you answer these as well before moving on.

You can also use the Comments feature to have conversations with your team around the security posture of a vendor and store these for future reference.

Once you’ve taken all relevant actions on your review, you can click Finish on the top right to complete it.

Frequently Asked Questions (FAQ)

Who receives notifications for overdue vendor reviews in the TPRM — the vendor review owner, the review assignees, or both?

• Currently, only the individual review assignees are notified when a vendor review becomes overdue. The vendor review owner does not receive overdue notifications at this time.