Overview

Vendor Risk Management involves identifying, assessing, and mitigating risks that arise from working with external vendors, partners, suppliers, or service providers. These third parties can introduce risks to an organization, such as data breaches, compliance violations, financial instability, or operational disruptions.

With Secureframe, customers receive access to the standard version of Vendor Risk Management with the Comply Fundamentals plan. If you are using our Complete plans customers will have access to Secureframe's Advanced VRM offering by default. 

The standard VRM plan includes:

• Managing your active vendors list (add one by one or in bulk)
• Vendor risk assessments using Secureframe default risk levels
• A single schedule for reviews
• A single question set for reviews
• Secureframe default categories and department tags for vendors

Advanced VRM capabilities include all of the features above plus:

• Customizing the vendor risk assessment settings, including:
  • Primary risk scoring
  • Secondary risk scoring
    • Subcategories
    • Environment type
    • Data management
• Customizing vendor tags
• Detected applications through SSO providers (easily bring popular applications at your company into your vendor risk program)
• Creating and assigning custom review schedules based on vendor risk level or other categorization
• Unlimited schedules
• Unlimited question sets for internal security reviews

Recommended starting steps

1. Add your vendors to Secureframe VRM (See Adding Vendors below). If you're bulk uploading vendors from a CSV, you can import their risk levels and other metadata to save yourself time.
2. For any vendors that do not have an associated risk level, conduct a risk assessment (See Conducting a Vendor Risk Assessment below)
3. Set up a review schedule. Review schedules contain lists of vendors that you want to review on the same cadence. (See Configuring Vendor Reviews below)

See also: Getting started with your first security review.

How to Add Vendors

By adding vendors, you are formalizing and documenting the relationship, allowing for better monitoring of their compliance with your security, privacy, and operational standards.

Vendors can be added one by one, or in bulk using CSV. See instructions below:

How to Create a Single Vendor

1. Navigate to Vendors - From the main menu, go to the Vendors section.

2. Add a Vendor - Click the + Add Vendor button in the top right corner.

3. Enter Vendor Name - Provide a single vendor name (e.g., KnowBe4) and click Create.

4. Complete Vendor Details - Fill out the fields as shown in the vendor details form. (Note: fields required will be indicated by an *)

   • *Name – Vendor’s official name (auto-filled from step 3).

   • *Website – Vendor’s main website URL.

   • Trust Center / Security URL – Link to their security or compliance page.

   • *Services Provided – Brief description of services they provide.

   • *Owner – Internal owner responsible for the vendor relationship.

   • Categories – Select applicable risk/compliance categories, which are high-level classifications that describe the type of risk, security area, or operational function associated with a vendor. They help organize vendors by the kind of potential impact they could have on your organization.

   • Departments – Select internal departments that use this vendor. Departments identify which internal teams in your organization rely on or use the vendor’s products or services. This ensures you can quickly see which parts of the business would be impacted if there’s an issue with that vendor.

   • Tags – Add any relevant internal tags for easier filtering/search.

   • Contract Start/End Dates – Enter the contract term.

   • Last Reviewed At – Date of last vendor risk or performance review.

   • Account Manager Name & Email – Vendor’s main point of contact.

   • Authentication Type – Select Password, Single Sign-on, or N/A.

   • Audit Report Concerns – Note if any SOC 2, ISO 27001, or similar audit reports show concerns.

   • Other Information – Any additional notes or context.

5. Save and Continue - Once all details are completed, click Next to proceed through the remaining steps:

   • Detected Applications

   • Risk Level Assessment

   • Documents

   • Finish

Bulk Import Vendors via CSV or Excel

1. Navigate to Vendors - From the main menu, go to Vendors.

2. Click “+ Add Vendors” → Import from CSV

3. Download the Template - Click Download Excel Template to get the correct format.

4. Fill Out the Required Columns

   • Required:

     • Name

     • Website

   • Optional:

     • Account manager email

     • Account manager name

     • Authentication type

     • Categories

     • Contract start date

     • Departments

     • Environments

5. Upload Your File - Drag and drop your CSV/Excel file or click the upload area to browse.

6. Review and Confirm - Ensure all vendor data is correct, then proceed to complete the import process.

Viewing Vendors

Vendors can be searched, filtered, and sorted in many different ways.

Manipulating the Vendors Table

Vendors can be filtered and sorted in the table by:

• Categories (not sortable)
• Contract start date
• Contract end date
• Departments (not sortable)
• Name
• Owner
• Review status (not sortable)
• Tags (not sortable)
• Risk level

Customizing Vendor Risk Assessment Settings

Select the cog icon on the top right of the vendors page to configure the following settings.

Configuring Primary Risk Scoring (Advanced feature)

Primary risk score settings determine the risk levels available for selection when conducting individual vendor assessments.

On the configuration tab, qualitative (e.g. high, medium, and low) and quantitative (e.g. 3, 2, 1) risk level scoring can be customized based on organizational needs. 

Some organizations operate on a 3 tier high, medium, and low scoring system for assessing vendor risk:

Other organizations may operate with a 10 tier scoring system:

Regardless, scoring can be customized in any way desired based on organizational needs.

Configuring Secondary Risk Scoring (Advanced feature)

Primary risk score can be augmented by 3 risk subcategories:

• Subcategories
• Data management
• Environment type

Secondary risk scoring provides additional ways to influence the primary risk score. 

Risk subcategories (e.g. operational reliance, difficulty of vendor substitution, etc.) may be optionally added to further tailor how assessors should consider risk during an assessment. Risk levels for these subcategories are defined during an individual vendor's risk assessment.

Data management can be fully customized based on an organization's data and privacy concerns to further influence an assessor's decision-making during an individual vendor risk assessment. Risk levels for data management are defined globally in these settings, rather than being on a per vendor basis.

Environment type is not customizable (development, production) in settings; however, assessors are prompted to indicate the type during an individual vendor assessment.

Customizing Vendor Tags

Vendors tags create shared categories and departments to create vendor relationships. These tags can be filtered on the primary vendors table.

Conducting a Vendor Risk Assessment

To begin an individual vendor risk assessment, select a vendor with a risk level of "Not assessed".

Basic Vendor Details

Please enter basic information about the vendor. Required fields are noted with a red asterisk. 

• Name: The name of the vendor
• Website: The website of the vendor
• Security URL: The location of vendor security documentation
• Services provided: Information about apps or services you use
• Owner: The person responsible for the vendor
• Categories & Departments: Tags associated to this vendor
• Contract start and end date: The duration of the current vendor contract
• Account manager name and email: The primary PoC on the vendor's side
• Authentication type: The mechanism for authenticating into the vendor and/or its products
• Compliance report findings: Describe issues the vendor has called out in reports such as a SOC 2, as applicable. These details should influence the vendor's risk assessment
• Other information: Other notable detail about the vendor

Detected Applications (Advanced feature)

Secureframe scans for shadow IT via integrations such as Google Workspace, Google Cloud Identity, Okta, Office 365, and more to determine applications in use by people at an organization.

Discovered applications can be linked to a vendor. For example, if the vendor was higher level, and actually "Google" or "Alphabet", apps such as "Google Cloud Platform", "Google Workspace", etc. should be linked to the vendor.

Note the minimum requirements:

• some form of identity solution / SSO must be connected to Secureframe (e.g. Google Workspace, Google Cloud Identity, Okta, Office 365)
• it may take up to 24 hrs for the integration to sync and populate the detected applications and users

To view all discovered applications, click the "New Applications Detected" banner at the top of the page, then select detected applications on the top of the vendor's table.

You can bulk add applications as vendors, link applications to vendors, or ignore the applications.

Risk Level Assessment

Indicate the level of risk for risk subcategories and the data relevant to the vendor. As a reminder, these were configured in the global risk assessment settings. Specify the environment type of the vendor as well as the overall risk level for the vendor. Secureframe automatically provides a recommended risk level suggestion for the vendor based on risk inputs.

Security Review

Vendor risk assessments are not a one-time task. Review schedules should be created to specify how frequently a review should occur. Multiple vendors can be assigned to a single review schedule for efficiency in cases where vendors are on the same review cycle.

A new review schedule can be created or alternatively, you can use an existing review schedule by selecting the schedule as the option underneath Recurring schedule.

Templates can be specified to determine which questions should be answered during a vendor review.

Review

Complete the assessment when you have reviewed your previous selections.

Configuring Vendor Review Schedules

Navigate to Vendors > Configure Reviews from the primary vendor table.

On the Review schedules tab, you will see a list of all the vendor review schedules that exist.

Clicking into a review will bring you to the details tab of a review, which includes the following information:

Schedule Details:

• Review Name
• Review Frequency
• Length of Review (The default duration setting when scheduling a vendor security review is 90 days.)
• Review Owner
• Start/End Reminder

Question Sets:

• Internal questions - these are questions your team can answer internally during a review.
• External vendor questionnaires - these are questions that will be sent to your vendor automatically as part of the review.

Requested Documents - this is a list of documents that will be requested from your vendor as part of the review.

On the "Vendors" tab of a review, you can manage the vendors included in the review, set assignees, and determine which vendor contact should be sent the vendor portal email. See "Vendor Portal" below for more information.

The final tab, "Reviews", shows a list of reviews that have been created as part of this schedule.

Customizing Internal Review Templates (Advanced feature)

With the standard version of TPRM, you can always modify the Default Template, but your account must have the Advanced feature set to create and modify multiple templates. To define the content of a review, security review templates can be created.

Assignees fill out these questions during a review. Secureframe has provided a default template with an initial question set.

Conducting a Vendor Review

Once a review cycle begins, the assignee of the vendor's review for a given review cycle will receive an email notification. The assignee is prompted to complete the review, by uploading new compliance reports, completing review questions, adding findings, and leaving comments.

If there are external vendor questionnaires or requested documents, labeled "External" in the review schedule, your vendor contact will receive an invite to a vendor portal.

The vendor portal will allow the external user to submit documentation. Once they have uploaded their documents and submitted the portal, the vendor owner will receive an email and the attachments will be added to the "Documentation" tab of the vendor and security review.

Frequently Asked Questions (FAQ)

How do I assign a specific question set to an automated vendor security review?

• Within a security review, you are able to specify the internal/external question sets related to that review.

In our list of vendors I have both Atlassian and JIRA. I want to remove Jira (because that is a product of the Atlassian company.) If I archive Jira from the list of vendors, does this have any impact on the integrations we have with Jira?

• Archiving a vendor that has a related integration will not archive the connection. The vendors and the integrations are considered separate in the platform.
• You will be able to safely remove the Jira vendor, while keeping the Jira connection.

What if the vendor I am trying to add is a freelancer and does not have a website? 

• In cases where the vendor may not have a website, a placeholder domain can be added instead. For example, "freelancersname.com" can be used the website URL. 

What is the difference between the Risk Assessment Date and the Last Review Date?

• The Risk Assessment Date refers to when the vendor’s risk score was last updated.
• The Last Review Date indicates when the vendor security review was performed.
  • These dates can differ depending on when each action was completed. For example, a vendor’s risk score might be updated after an internal reassessment, while the security review may have been performed earlier or separately.

How can I download a vendor document?

• To download a vendor document, go to the Vendors page, select the vendor, and open the Documentation tab. Click the document name and it will open in a new browser tab or window where you will see an option to download it.

How do I delete a one-time vendor review?

• Go to the Vendor’s page, open the Security reviews tab, find the review, click the three-dot menu next to it, and select Delete.

Why does the Detected Applications table show incorrect or mismatched account counts, and why aren't some apps appearing at all?

This can happen for a few reasons:

1. No identity provider connected — Detected Applications requires an identity integration (Google Workspace, Okta, Entra/Office 365, or Google Cloud Identity) to be active. Non-identity integrations like Jira, AWS, or Bitbucket will only show up as a single "Added by integration" entry with a count of 1 — they cannot report what other apps your users are accessing.
2. Stale data from a disconnected integration — If an identity integration was previously connected and then removed, its detected application data may not have been properly archived, causing inflated or inaccurate counts. Reconnecting the integration and allowing it to sync will resolve this.
3. Sync hasn't run yet — After connecting or reconnecting an integration, it can take up to 24 hours for detected applications and account counts to populate accurately.

Why does a specific app (e.g., one accessed via Entra) show up in Detected Applications, but with only 1 account?

• This is expected behavior for non-identity integrations. Only identity providers (Google Workspace, Entra, Okta) can surface per-user app activity. Google reports apps users have actually signed into via OAuth, while Entra and Okta report apps assigned to users by admins. 
• All other connected integrations appear as a single detected app entry labeled "Added by integration" with a count of 1 — this is not a bug. To see accurate per-user counts, ensure at least one supported identity provider is connected and has completed its sync.

Why aren't all expected vendors appearing in the high_priority_vendor_list token in a policy, and why are vendors without a "High" risk score showing up?

The high_priority_vendor tag doesn't control this list. The dropdown filters to vendors with a VRM risk score at or above the High threshold, but only when VRM is enabled and at least one vendor is classified as High. Vendors won't appear in the dropdown unless their VRM risk score is set to High.

The reason other non-High vendors may already appear in the rendered token is that they were saved before VRM was enabled or before any vendor was classified as High. Secureframe doesn't filter on render, so whatever was previously saved remains.

Two options for customers in this situation:

1. Set the vendor's VRM risk score to High so it appears in the dropdown.
2. If vendor priority needs to be decoupled from risk score, that requires a feature request as the current behavior intentionally links the two.

If the customer wants to remove vendors that shouldn't be in the token, the simplest path is to remove the {{high_priority_vendor}} token from the policy content directly, as clearing the field on the backend would require a data migration.