Sprinto DashboardAPI Reference

Vendor Risk Assessment

Learn how to perform vendor risk assessment in Sprinto to review, classify, and validate your third-party vendors’ security posture.

Vendor risk assessment helps you evaluate all the vendors your organisation works with, classify them based on the level of risk they pose, and ensure that high-risk vendors follow appropriate security practices.

This is a key step in maintaining compliance with frameworks such as SOC 2, ISO 27001, HIPAA, and GDPR.

Why Vendor Risk Assessment Is Important

Your vendors often have access to confidential or customer data. Assessing them regularly helps ensure they meet your organisation’s security and compliance requirements. Vendor risk assessment allows you to:

  • Identify potential security gaps in third-party systems.

  • Categorise vendors based on the sensitivity of data they handle.

  • Verify that high-risk vendors maintain valid compliance certifications or security measures.

At a high level, vendor risk assessment consists of three steps:

  1. Add all vendors to the library. Add every vendor your organisation engages with into Sprinto. You can import vendors automatically from connected SSO tools (Google Workspace, Okta, etc.), add them manually, or upload them in bulk via CSV.

  2. Classify vendors by data access and assign a risk level. For each vendor, identify the type of data they can access (e.g., internal, customer, or confidential data). Based on this, Sprinto automatically assigns a risk levelHigh, Medium, Low, or None. You can manually review and adjust these classifications as needed.

  3. Complete due diligence for all high-risk vendors. For vendors marked as High risk, perform due diligence to verify their security posture. This includes reviewing uploaded certifications (e.g., SOC 2, ISO 27001), security policies, and responses to vendor security questionnaires.

How It Works

A vendor risk assessment in Sprinto consists of three stages:

Step 1: Add All Vendors

Before beginning an assessment, ensure that all vendors your organisation uses are added to Sprinto.

  1. Go to Data Library > Vendors from the left navigation pane.

  2. Select the All vendors tab.

  3. Click + Add vendors.

  4. Choose one of the following options:

    • Add vendors from library – Select vendors from Sprinto’s curated list.

    • Bulk import vendors via CSV file – Download the CSV template, populate it with vendor details, and upload it.

    • Add manually – Enter vendor details directly if not available in the library.

    • Discover vendors via SSO – Automatically identify vendors accessed via connected SSO providers such as Google Workspace or Okta.

  5. Refer to Create and Add Vendors to learn about this in detail.

Review your organisation’s billing or expense records to identify vendors that may not be visible through discovery.

Step 2: Assign Risk Levels to Vendors

Once vendors are added, assign a risk level to each vendor based on the type of data they handle and their operational criticality.

  1. From All vendors, click a vendor’s name to open its profile.

  2. Navigate to the Risk score tab.

  1. Under each risk factor (e.g., Data type shared, Access to company systems, Operational impact), click Add value or Edit.

  2. Select appropriate options from the dropdown menus.

  3. Review the Risk level column. Sprinto automatically recommends a risk level (High, Medium, Low, or None) based on your selections.

  4. If required, click Edit in the risk level field to override the auto-computed value.

  5. Click Add risk factor values.

Step 3: Perform Due Diligence for High-Risk Vendors

High-risk vendors must undergo due diligence to confirm that they follow robust security and availability practices.

  1. In the vendor’s profile, open the Due diligence tab.

  2. Click perform due diligence.

  3. Upload the vendor’s compliance evidence, such as:

    • SOC 2, ISO 27001, or SOC 3 reports

    • Security whitepapers or audit summaries

    • Completed vendor security questionnaires

  4. Add any notes or observations under Findings.

  5. Click Complete due diligence once all relevant documents are attached and reviewed.

If a vendor doesn’t have formal certifications, you can request them to complete Sprinto’s vendor security questionnaire as supporting evidence.

Step 4: Conduct the Vendor Risk Assessment Review

After all vendors are added, scored, and due diligence is completed, perform the final review to confirm compliance.

  1. Go to Data Library > Vendors > Vendor risk assessment.

  2. Click Start new assessment now.

  1. Review the list of all vendors displayed.

  • Each entry shows the Vendor name, Risk level, Due diligence status, Due date, and Actions.

  1. (Optional) Click the Edit icon to rename the assessment and click Save.

  1. Click Exclude to remove vendors you don’t wish to include in this cycle.

  2. Click Include to add previously excluded vendors.

  1. Review each vendor’s risk level and ensure due diligence is complete for all high-risk vendors.

  2. Once satisfied, scroll to the bottom and select the confirmation checkbox: “I have performed the risk assessment as per management policy for the above vendors. All risks are reviewed and transferred to these vendors.”

  3. Click Complete risk assessment for vendor.

PreviousMonitor Vendor Status and BreachesNextConfigure Vendor Risk Scoring, Fields, and Documents

Last updated