Sprinto Dashboard

Resolve Sprinto Check for Periodic Vendor Risk Review

Learn how to resolve the Sprinto check for periodic vendor risk reviews by updating due diligence evidence and confirming ongoing oversight.

Sprinto raises this check when it detects that your organisation has not performed a recent management review of vendor risks—particularly for vendors classified as high or moderate risk.

This requirement is aligned with multiple compliance frameworks that mandate regular oversight of third-party service providers, including:

  • SOC 2 (CC4.1, CC3.2)

  • ISO 27001 (A.15.2.1, A.15.2.2)

  • HIPAA, GDPR, PCI-DSS

Why this check matters

Vendor risk reviews are a critical part of third-party risk management. They help ensure that:

  • Risk postures remain accurate and reflect current vendor operations

  • Due diligence documentation remains current

  • Senior management is actively reviewing and approving critical vendors

  • Your organisation maintains compliance with relevant standards

This check is triggered when:

  • High or moderate-risk vendors have outdated due diligence

  • The last management review is older than your organisation's threshold (typically 6–12 months)

  • Review evidence or comments are missing in Sprinto

Resolution Steps

1. Identify vendors that require review

  • Navigate to the Vendors section in Sprinto

  • Open the Vendor Risk Assessment tab

  • Filter vendors by Risk Classification = High or Moderate

  • Sort by the Last Reviewed column to find those that are outdated

2. Reassess the vendor’s risk level (if needed)

  • Review:

    • Security questionnaires

    • Certifications (e.g. SOC 2, ISO 27001)

    • Penetration testing reports

    • Any other due diligence documents

  • Reclassify the vendor’s risk if new information warrants a change

3. Add management review notes

  • Go to the vendor’s profile in Sprinto

  • Update the Reviewed On date

  • Add a summary of the management review in the Review Comments or Management Notes field

4. Upload updated evidence

  • Attach any updated documentation, including:

    • Security certifications

    • External audit reports

    • Meeting notes from vendor review discussions

Evidence Guidelines

Evidence Type
Required
Notes

Updated vendor profile in Sprinto

Yes

Must include the current review date and management notes

Updated due diligence documentation

Yes

Must reflect the vendor’s latest security posture

Internal risk summary (optional)

Optional

Can be uploaded in Sprinto as supporting documentation

Additional Notes

  • Sprinto may automatically resolve this check once the vendor’s profile has been updated and evidence has been uploaded.

  • Reviews should be conducted every 6 to 12 months for all vendors classified as high or moderate risk.

  • Use the Monitoring tab in the Vendors section to proactively track vendors due for review.

PreviousResolve Sprinto Check for Periodic Risk AssessmentNextVulnerability Management Monitors

Last updated