Third Party Risk Management (TPRM) / Vendor Management

How to handle your first third party risk (Vendor) review

Video walkthrough:

Initial setup

Whether you’re using the standard or Advanced versions of Third Party Risk Management (TPRM), we recommend getting started with reviews the same way.

Once you have added and assessed the risk levels of your vendors to your organization (more information on how to accomplish these actions here), we’ll begin by creating our first review schedule, and then configuring a question set to standardize our analysis of a vendor. We’ll then walk through your first risk review.

But first, what are review schedules?

Review schedules let you batch together your vendors into a repeating cycle to make sure that you’re monitoring their security practices regularly. How often you conduct these reviews is a matter of compliance with your security frameworks (some may require reviews more often than others) and your company’s risk policy. Automating these review cycles makes certain that you’ll continue to pass the associated vendor review tests for your security framework in Secureframe.

Standard TPRM, which comes with Comply Fundamentals plans, gives you access to one review schedule out of the box. If you’d like to configure more schedules, for example if you’d like to review different sets of vendors on various frequencies, talk to your account manager about upgrading to Advanced TPRM. Advanced TPRM lets you create an unlimited number of recurring schedules.

Most customers use review schedules to ensure they review high risk vendors on an annual cadence.

Now, let’s create our first schedule

  • To get started, we’ll click on the Vendor review button on the top right of the Vendors page.
  • Then, we’ll click on the Recurring schedules tab and then Create Schedule
  • On the Create recurring review schedule modal, we’ll enter in our schedule name, review owner, date the review should begin, and the frequency of each scheduled review. We’ll also set the review length (which sets the due dates for having all reviews completed), and when we’ll receive reminders before the start and end of the review cycle. Note: Make sure that you choose a start date and frequency that aligns with your audits. For example, you may want to ensure all high risk vendors are reviewed a quarter prior to your audit period.

  • We’ll click Next and then define which vendors should go into the schedule, and then click Create 
  • We now have an active review schedule!

Now that our schedule is created, what happens next?

Any scheduled reviews that are due to occur in the next 90 days will appear in the Pipeline tab on the Vendor reviews area. The review assignees for each vendor will receive an email when the review is a certain number of days away (the system will use whatever was configured during the schedule setup). Otherwise, if your next scheduled review is more than 90 days away, there’s no action to be taken.

But the next thing we’ll want to do is set up a question set for our security review.

Set up a security review question set in Templates

Especially if your organization has a team of reviewers looking into your vendors’ risk profiles, it’s a great idea to standardize your analysis with templated security review questions to make sure you’re reviewing each vendor thoroughly and in the same way. Secureframe provides a default set of questions out of the box in the Templates tab within the Vendor review page.

To modify the default template, navigate to the Templates tab, click on the Default template and add or remove questions from here. You can also change the name of the template to something more representative of its use, like “High risk vendor questions” or delete it entirely.

Security review question sets will only show on reviews if you apply the question sets to particular vendors. To do this, we’ll go to the main vendors page, select a series of vendors and use the bulk action in Property > Edit review template to assign them a template.

When would I use the One-Time Review function?

One-time reviews are ideal for onboarding a new vendor. Some frameworks require a risk review when you contract with a new third party—and it’s also just a good idea to do this even if not required!

To get started with a One-Time review:

  • Navigate to the Vendor review ****page by clicking the Vendor review button on the main Vendors page
  • On the top right, click the arrow next to the Schedule review button, and then Create one-time review

  • In the same way as we did with the recurring review schedules, we’ll fill in the basic information about this review
  • Then, select your vendor(s) to be reviewed) and click Save
  • You’ll be dropped into the review containing all of the vendors you just selected
  • Now just click Start review to begin your review, store key documentation, and record any findings

What should I do during my first vendor review?

If your organization does not already have a standard process for reviewing vendor risk, this is a great opportunity to lay the groundwork.

When you start a new vendor review, you’ll see a screen that looks like the one below.

  • The Summary tab contains an overview of key notes and findings on a vendor
  • The Documents tab is meant to house documentation related to this review, such as compliance reports and attestations
  • The Review tab contains any configured security review questions for this vendor (as detailed above in the section called “Set up a security review question set in Templates”)

We’ve designed the application to be flexible to accommodate most review practices. If you’re unsure how or what to do on your risk reviews, please reach out to your Secureframe customer success manager to get in touch with our compliance team for advice. You can then build checklists or questions into the Review question set on each vendor review to align to your risk management plan.

This aside, the goal of your security review should be to elicit any findings relevant to the risk profile of a vendor. Here are some basic questions you may want to consider:

  • Are they compliant with security frameworks? If so, which ones? If not, is this a problem if they interact with important services or data for your company?
  • Can the vendor prove their compliance with relevant reports from auditors?
  • Were there any findings or notes from the auditor in these reports that should concern you or your business? For example, are there notes from auditors in their reports that mention dubious security practices around handling of customer data? If so, is this vendor processing your own customers’ data and might this be an issue?

When you generate findings, these should represent areas of concern or items that you may want to chat with your vendor about. If these cannot be resolved or will remain outstanding beyond the period of your review, you may consider adding these as risks to your risk register. It’s always a good idea to check prior reviews of a vendor to see if there are any findings that you should revisit with your vendor contact.

Otherwise, at a minimum, we recommend obtaining, reading, and storing the most recent key compliance documentation related to your vendor, such as their SOC 2 Type I or II reports or ISO 27001 certificates by uploading these in the Documents tab.

If you have configured security review questions for this vendor, ensure that you answer these as well before moving on.

You can also use the Comments feature to have conversations with your team around the security posture of a vendor and store these for future reference.

Once you’ve taken all relevant actions on your review, you can click Finish on the top right to complete it.

Related to

Was this article helpful?

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.