Estimated reading: 10 minutes 873 views

What is it?

Vendors are various companies from whom you have purchased software or services that you use to run your business.

For example, Microsoft, Salesforce, and Okta are vendors. One Vendor can provide you with many Systems (link to Systems page). For example, Microsoft is a vendor, and it provides you with many systems like Azure AD, Confluence, Office 365, etc.

Your Vendors page helps you conduct vendor risk assessments, manage your existing vendor relationships, and consolidate any potential documents that you were keeping elsewhere.

Third Party Risk Management (TPRA) or Vendor Risk Assessments

Note: This is currently available as an open beta. Contact us to get started.

Third-party risk assessments (TPRA) provide insights into the potential risks posed by your vendors. Comprehensive evaluations shed light on how your vendors handle your data and the associated threats. Undertaking these assessments is not only mandated by numerous standards but is also crucial in minimizing business disruptions by proactively addressing third-party risks.
In general, Third party assessments can be broken down into 4 steps: 

  1. Identification of Risks: Assess the potential threats and vulnerabilities introduced by engaging with an external vendor, considering factors such as data security, compliance, and operational risks.
  2. Due Diligence: Conduct thorough background checks on vendors, reviewing their security protocols, financial stability, and past performance to ensure they meet organizational standards. This is typically accomplished via a vendor risk assessment, a security questionnaire that is sent out to the vendor, or analysis of a vendor’s publish TrustShare profile.
  3. Continuous Monitoring: Implement ongoing oversight of vendor activities and performance, ensuring they remain compliant with contractual obligations and industry standards. Frequent risk assessments and due diligence contributes towards effective monitoring.
  4. Mitigation Strategies: Develop and implement strategies to address identified risks, including contingency plans, contractual clauses, and regular audits, to ensure vendor alignment with organizational objectives.

You can easily send, assess, and manage your vendors and assessments using TrustCloud’s Third-party risk management feature. Keep reading to learn more about how to send assessments, tailor your programs, and manage your workflow.

Getting Started 

To begin leveraging TrustCloud’s vendor risk management solution, a few housekeeping items should be taken care of ahead of sending that first risk assessment. Use the following 4 step process to get started:

  1. Create on Assessment Template or Upload your Existing Security Questionnaire via the Evaluation Templates Page: Navigate to the evaluation templates section to begin setting up forms that your vendors will be filling out. Leverage our assessment builder and use your common control framework to simplify the questions you are asking your vendors. Alternatively, upload any existing docs your company uses when conducting vendor assessments.
  2. Setup a Vendor Evaluation Tiers via the Settings Page: Evaluation tiers streamline your process by enabling workflow customization according to each vendor’s risk level. With tiers, you can define the business information required, the specific type of assessment to send, and the necessary data to collect.
  3. Assign a Tier to a Vendor via the My Vendors Page: Assign a tier to an existing vendor or create a new vendor with a tier in order to kick off the risk assessment process
  4. Add a Vendor Contact via the My Vendors Page: Add a vendor point of contact responsible for providing security and compliance details on behalf of the vendor
  5. Start a New Assessment via the My Vendors Page: Kick off the formal assessment by sending the forms out to the vendor
  6. Complete Assessment: Finalize your assessment based on the responses you have received from each vendor


Your Vendors Dashboard helps you keep an actionable business-wide view of your vendors, assessments, and risks. Using the dashboard you can:

  • Understand your Vendor Risk Distribution: the level of risk across your vendors business-wide. 
  • See your assessment requests: see the status, start date, and owner of all active assessments.
  • Vendors by department: get a pulse of the amount of vendors across your business.
  • Vendor Risk by Data Classification: understand where you’re at risk based on your data classifications
  • Top 5 Vendors at Risk: keep tabs on the risk level of your most important vendors.
  • Top Vendors for Programmatic Risk Assessments via TrustNetwork: view a live trust portal for your vendors for detailed information on their security and privacy posture.

Screenshot 2023 10 16 at 5.07.45 PM

This dashboard is interactive so click on the risk distribution to deep dive into specific vendors.

Screenshot 2023 10 16 at 5.09.10 PM

Adding Vendors

Your vendor list is populated automatically after you add all of your systems to your System’s Register. Based on your different system classifications, TrustCloud defaults to the data classifications on your Vendors page.

A step-by-step guide to adding a vendor

  • To add more vendors to your register, simply click on the “+Add New Vendor” button.
  • Add Vendor Name, Website, Owner, Data Classification, and Group.
  • Select whether the vendor is a subprocessor.

My Vendors

The Vendors page in TrustCloud allows you to view your Vendors using different filters, search options, and views. You are quickly able to identify who the vendor is, what group/department they belong to, what tier they are a part off, the most recent. risk rating, the status of the most recent risk assessment, whether the vendor is active or disabled, as well as who the account owner is. 

Screenshot 2023 10 16 at 5.10.44 PMVendor Details

Clicking on a row in the vendor table showcases key details for each vendor. You will be able to view relevant metadata about the vendor, what recent assessments were performed, documents connected, systems connected, as well as enter relevant vendor contact information.

Screenshot 2023 10 16 at 5.14.37 PM


Regular Risk assessments should be performed on each vendor based on business criticality, the vendor tier, compliance requirements etc. To begin a new assessment, click on the ‘New Assessment’ button and enter the details of the vendor contact responsible for filling our the responses. Make sure you have completed all the steps in the ‘Getting Started’ section before conducting your first assessment.

Screenshot 2023 10 16 at 5.42.45 PM

What Does the Vendor Need to Fill Out

Each vendor, based on how you have configured the vendor tier, receives an email containing a security questionnaire, a list of documents they need to provide (SOC 2 report, pen test report etc.), as well as details on where to submit the responses. Once each vendor has completed and returned the forms, navigate back to the open assessment and upload these retuned forms so records can be maintained in once place. Contact us if you are interested in exploring ways to automate this via an API.

Completing an Assessment

Once you have received responses back from a vendor, navigate to the open assessment under each vendor’s page and begin filling out the evaluation form. The following details will be captured during this process:

  1. Vendor Overview and the contact information for the person assessing the vendors responses
  2. Business Information about the vendor including name, HQ location, terms of service etc.
  3. Risk Surface Details including whether this vendor is process PII or PHI etc.
  4. Compliance reports and certifications the vendor may adhere to
  5. Documents and policies that the vendor provided
  6. A final summary and assessment where you will document what the final risk rating as well as note any gaps or comments. This action will close the assessment and showcase the relevant risk rating on the dashboard and vendor details pages

Screenshot 2023 10 16 at 5.54.35 PM

Edit Vendor

To edit vendor details,

  1. Click on the three-dot icon in the right corner.
  2. From the drop-down menu, click on “Edit Details”.

On this details page, you can add or edit:

  1. A vendor’s website
  2. A location
  3. A description of the purpose
  4. Link to the vendor’s terms of service
  5. Link to the vendor’s privacy policy
  6. Link to the vendor’s security page
  7. Change the data classification.
  8. Change the group/department.

Additionally, you can add tags to each vendor, add documents or links, and add vendor contact information.

The systems that the specific vendor is mapped to are listed under the ‘Systems’ section. If you believe something is missing, double-check that all of the relevant systems have been added.

Disabling Vendors

Disabling a vendor denotes that you don’t use this vendor anymore. A disabled vendor still exists in your archive and is not deleted permanently.

A step-by-step guide to disabling a vendor

  1. Click on the three-dot icon in the right corner.
  2. From the drop-down menu, click on the “Disable Vendor” button.
  3. Enter a reason for disabling the vendor and mark the checklist of compliance requirements for disabling a vendor.
  4. Click on the “Disable” button.
  5. To view disabled vendors
    1. Select the filters on the main vendor page and check the ‘Disabled’ box.

Assessment Templates

TrustCloud supports the creation of programmatic vendor assessment templates that connect to your existing common control framework making evaluation and submission easier. The option to bring your own questionnaire also exists should you want to use your existing documentation.

Screenshot 2023 10 16 at 6.06.54 PMBuilding a Programmatic Assessment Template in TrustCloud 

Add a new assessment template by click “+ New Template” in the top right corner. From here, you can follow the prompts to easily create questionnaires that map directly to the controls you want to test your vendor against. By mapping your assessment to your controls you enable programmatic risk calculations, gap analysis, and auto-fill vendor responses. 

Uploading a Custom Assessment Templates

Upload your organizations existing assessment templates/vendor questionnaires directly to the Assessment templates portal to streamline your vendor assessment process. 

Editing, Downloading or Deleting an Existing Template

You can edit, download, or delete an existing template by navigating to the three dots in the top right corner of an existing template. Please note that any changes made to a template will impact new assessments only.

Once your assessment template is uploaded, you can see it in the Assessment Templates module and link it to a vendor tier. 

Settings and Vendor Tiers

Evaluation tiers streamline your process by enabling workflow customization according to each vendor’s risk level. With tiers, you can define the business information required, the specific type of assessment to send, and the necessary data to collect. After establishing your vendor tiers in TrustCloud, the platform automates your workflow based on each vendor’s designated tier—ensuring a consistent, hassle-free assessment process every time. We recommend customizing your tiers before you send assessments. 

Creating a New Tier

Click on the ‘Add Tier’ button in the top right and follow the prompts to create your evaluation tier. 

  1. Name your tie
  2. Set the parameters that define which vendors fall into this tier
    • Failure impact
    • Level of risk tolerance
    • Criticality
    • Data classification
    • Evaluation frequency
  3. Determine what business information you would like to mark as required or optional
  4. Set your risk surface
  5. Determine if you will require reports, if so select which you will require
  6. Identify which documents you will require
  7. Select the associated questionnaire(s) for this tier

Screenshot 2023 10 16 at 6.15.34 PM

Once you have customized and saved your Evaluation Tier, you can begin assigning tiers to your new and existing vendors. 

Editing or Deleting an Existing Tier

You can always edit tiers by selecting the “pencil” icon located on the righ of each Assessment Tier module. You can delete tiers using the trash icon. If you delete or edit a tier, this will automatically be mapped to your associated vendors however changes to required docs will only impact new assessments. 

Join the conversation