Your organization probably works with a lot of vendors—a company with 200-300 employees uses roughly 123 SaaS products. And, it’s not just SaaS products. Your vendors supply you with office supplies, computer hardware, and even physical services like office cleaning and recycling.
When you pick an HR tool to run your business, you're not just using that tool to keep your employees organized and paid on time. You're trusting that company to safely store sensitive information about your employees like their personal addresses, bank account information, and even social security numbers. Many people assume that this data is stored securely, but you owe it to your employees and to your business to ensure their information is protected.
That’s why organizations conduct vendor reviews as part of their due diligence process and risk management strategy. Vendor reviews ensure that you’re working with vendors who have high security and compliance standards. Ultimately, these vendor reviews should be a cornerstone of your procurement process as you begin building your vendor relationships.
In this guide, we’ll share how we define vendor reviews, what a good vendor review should include, and the different types of vendor reviews.
Vendor reviews are comprehensive examinations of your company's vendors to ensure they meet your security standards. There are many different definitions of a vendor review, but we think about vendor reviews in terms of how vendors perform against security and compliance best practices. Vendor reviews assess areas such as data handling processes, physical security, and compliance to accepted security standards like SOC 2 and ISO 27001.
The vendor review process varies from organization to organization, but they’re all part of performing due diligence. They normally include a security questionnaire, an examination of incident reports, action plans, and customer surveys. Vendor reviews are conducted when you’re considering bringing a new vendor on, but they’re also done continually to ensure that the vendor is maintaining appropriate security and compliance practices.
Reviews will vary based on the type of vendor you’re assessing, but there are some general guidelines for what a vendor review should include, particularly when you’re assessing for security and compliance. Here are the most common categories included:
A security questionnaire, sometimes referred to as a vendor risk assessment questionnaire, is a questionnaire that is sent out when you want to work with a vendor and need to understand their potential vulnerabilities. These questionnaires are typically long spreadsheets that include a series of questions to understand security and compliance practices like how they store your data and what precautions they take against breaches.
When it comes to sending a security questionnaire, you can create one from scratch, license an industry standard such as SIG or CAIQ, use a security questionnaire template, or use security questionnaire software.
Some of the most well-known companies worldwide have been victims of security breaches and data leaks. After a security incident, companies put together detailed retrospectives to ensure such an incident never occurs again.
Before moving forward with a vendor, you should review incident reports to determine what happened during the incident and what steps were taken afterward to protect the organization—and yours—from future risk.
A security action plan is just that—a plan. These plans detail how a company approaches security, governance, and data protection not just now, but into the future as well. When conducting a vendor review, you’ll want to review the vendor’s active action and incident plans to ensure they meet your standards.
When conducting vendor reviews, it’s a good idea to speak with current customers to understand how they assessed the vendor, why they believe they have high security standards, and how they made their selection. Talking to other customers has the added benefit of understanding the value other customers are getting from a vendor’s services.
All vendor reviews have the same aim: to determine whether a vendor’s security and compliance practices will protect you from risk and vulnerability. But there are two different types commonly conducted: initial vendor reviews, which occur when you start a new relationship with a vendor, and ongoing vendor reviews, which happen on an annual, semi-annual, or quarterly basis to ensure that the vendor remains compliant over time.
Initial vendor reviews happen when you are considering working with a new vendor, usually as part of the sales process. For example, when you’re deciding to purchase accounting software, you’d conduct a vendor review to ensure your company’s financial info will be protected.
Once you have decided to move forward with a vendor, you should ask for a vendor review before the deal is finalized. With the help of IT leaders, as well as security questionnaire software, vendor reviews can be completed efficiently ensuring that the sales cycle remains on pace.
Initial vendor reviews should be scheduled as soon as you have decided you want to move forward with a vendor and are ready to become a customer. Before you can sign on the dotted line and make the deal official, a vendor review should be conducted. Some may see this review as a hurdle within the sales process, but it is essential to protect you from risk.
Most people wait until the very last minute during a sales process and then dump this on the vendor at the 11th hour. Instead, you should address this more proactively to make it a strategic part of the buying process rather than a forgotten box to check.
Ongoing vendor reviews occur on a recurring basis, ensuring that a vendor continues to uphold the latest best practices in security and compliance. A vendor may have gone through due diligence when you made your initial purchase, but they should be routinely checked to make sure they stay secure as standards continually change.
Many companies neglect to conduct ongoing reviews. After they've done an initial review and signed a contract, they assume that the vendor is secure forever. In reality, security processes and standards change every day. Purchasing a secure product today does not guarantee that the product is still secure or compliant tomorrow, let alone a year from now.
In the future, real-time security reporting will be the gold standard. For now, having structured check-ins is a best practice. HyperComply makes it easy to set a pre-defined vendor review cadence and automate those follow-up tasks without creating additional overhead.
Ongoing vendor reviews are most commonly scheduled annually, but sometimes occur every 6 months. Occasionally, vendor reviews are conducted every quarter for companies who want to maintain an even clearer view of their company's security profile.
Whether you’re a vendor providing services or a security leader looking to ensure that vendors meet your standards, you’ll want to be well-positioned to participate in vendor reviews. You need these reviews to be accurate so that there are no surprises down the line. That means having a vendor review process that is as efficient and seamless as possible.
HyperComply makes vendor management simple so companies can onboard partners and operate with confidence: