Vendor Management
The Vendor Management module provides a centralised registry for tracking all third-party vendors your organisation works with. Register vendors, track their lifecycle from prospect to offboarding, manage certifications, and maintain a complete record of contact and contract details.
Accessing Vendor Management
Section titled “Accessing Vendor Management”Click Vendor Management in the sidebar navigation. This opens the Vendor Registry — your central hub for all vendor-related activities.
The Vendor Registry
Section titled “The Vendor Registry”The registry is a filterable table showing all registered vendors for your organisation.
Filters
Section titled “Filters”Use the filter bar at the top to narrow the list:
| Filter | Options |
|---|---|
| Search | Filter by vendor name |
| Status | All / Prospect / Active / Inactive / Archived |
| Criticality | All / Low / Medium / High / Critical |
| Category | Dynamically populated from your vendors (e.g., Cloud Provider, SaaS, Consultancy) |
Table Columns
Section titled “Table Columns”| Column | Description |
|---|---|
| Name | Vendor name (click to open detail page) |
| Category | Vendor type or classification |
| Status | Current lifecycle status (colour-coded badge) |
| Criticality | Business criticality level (colour-coded badge) |
| Risk Score | Calculated risk score (if assessed) |
| Contract End Date | When the current contract expires |
| Contact | Primary contact person |
Adding a Vendor
Section titled “Adding a Vendor”- Click the Add Vendor button in the registry header
- Complete the modal form with the vendor’s details
- Click Save to create the vendor record
Form Fields
Section titled “Form Fields”| Field | Required | Description |
|---|---|---|
| Vendor Name | Yes | The vendor’s trading name |
| Description | No | Brief description of what the vendor provides |
| Website | No | Vendor’s website URL |
| Category | No | Classification (e.g., Cloud Provider, SaaS, Consultancy) |
| Status | Yes | Initial lifecycle status |
| Criticality | Yes | Business criticality level |
| Data Classification | No | Sensitivity of data shared with this vendor |
| Contact Name | No | Primary contact person |
| Contact Email | No | Contact email address |
| Contact Phone | No | Contact phone number |
| Contract Start Date | No | When the contract begins |
| Contract End Date | No | When the contract expires |
| Contract Value | No | Annual contract value in GBP |
Editing a Vendor
Section titled “Editing a Vendor”- Click a vendor row to open the Vendor Detail page
- Click Edit Vendor to open the edit modal
- Update the fields as needed
- Click Save to apply changes
All fields from the add form can be updated, including status and criticality. Changes take effect immediately.
Vendor Status Lifecycle
Section titled “Vendor Status Lifecycle”Vendors progress through a defined lifecycle. Set the status to reflect where each vendor is in your relationship:
| Status | Description | Typical Use |
|---|---|---|
| Prospect | Vendor under initial consideration | Pre-contract evaluation |
| Active | Vendor currently providing services | Normal operations |
| Under Review | Vendor being reassessed | Periodic review or incident-triggered |
| Approved | Vendor has passed assessment and is cleared | Post-assessment approval |
| Suspended | Vendor services temporarily halted | Pending investigation or remediation |
| Offboarded | Vendor relationship terminated | Contract ended or vendor replaced |
Vendor Criticality Levels
Section titled “Vendor Criticality Levels”Criticality reflects how important the vendor is to your business operations:
| Level | Description | Example |
|---|---|---|
| Low | Minimal business impact if vendor is unavailable | Office supply providers |
| Medium | Some disruption but workarounds exist | Non-essential SaaS tools |
| High | Significant impact on operations | Core business applications |
| Critical | Business cannot function without this vendor | Cloud infrastructure, primary data processors |
Setting the correct criticality level helps prioritise risk assessments and determines the depth of due diligence required.
Data Classification
Section titled “Data Classification”Data classification indicates the sensitivity of information shared with or processed by the vendor. Set this based on the highest sensitivity level of data the vendor handles:
- Public — Non-sensitive, publicly available information
- Internal — Internal business data, not for public release
- Confidential — Sensitive business or personal data
- Restricted — Highly sensitive data (PII, financial, health records)
This classification feeds into the risk scoring algorithm, so it’s important to set it accurately.
Subscription Tier Limits
Section titled “Subscription Tier Limits”The Vendor Detail Page
Section titled “The Vendor Detail Page”Click any vendor row to open the Vendor Detail page. This is the primary working area, organised into 12 sections:
| Section | Purpose |
|---|---|
| Overview | Basic vendor information, risk score, and data classification |
| Contact Information | Contact name, email, and phone number |
| Contract Details | Start date, end date, and contract value |
| Assessments | Historical assessment records with CIA scores and risk ratings |
| Certifications | Tracked security certifications and their validity status |
| CIA Control Breakdown | Granular control scores across Confidentiality, Integrity, and Availability |
| Risk Scoring | 5-factor risk breakdown with calculated score |
| Claim Verification | Cross-referencing of vendor claims against evidence |
| Action Items | Remediation tasks with priority, ownership, and deadlines |
| Compensating Controls | Gap descriptions and mitigation measures |
| Reports | Generated reports with export and email options |
| AI-Powered Research | DPSIA assessment and automated security research |
For details on the assessment-related sections (Risk Scoring, CIA Controls, Claim Verification, DPSIA, and Reports), see the Vendor Risk Assessment guide.
Managing Certifications
Section titled “Managing Certifications”Track your vendors’ security certifications to understand their compliance posture.
Adding a Certification
Section titled “Adding a Certification”- Navigate to the Certifications section on the Vendor Detail page
- Click Add Certification
- Enter the certification details:
- Certification Name — e.g., ISO 27001:2022, SOC 2 Type II, PCI DSS
- Certification Body — The issuing organisation
- Status — Valid, Expired, Revoked, or Pending
- Issue Date — When the certificate was granted
- Expiry Date — When it expires
- Certificate Number — Reference number (if available)
- Click Save
Certification Statuses
Section titled “Certification Statuses”| Status | Description |
|---|---|
| Valid | Current and active certification |
| Expired | Certification has passed its expiry date |
| Revoked | Certification withdrawn by the issuing body |
| Pending | Certification application in progress |
Best Practices
Section titled “Best Practices”Initial Setup
Section titled “Initial Setup”- Register all existing vendors — Start by adding your current third-party relationships
- Set criticality levels accurately — This drives assessment prioritisation
- Add contract dates — Enables proactive contract renewal tracking
- Record certifications — Capture any known certifications upfront
Ongoing Maintenance
Section titled “Ongoing Maintenance”- Review vendor statuses quarterly — Ensure statuses reflect reality
- Monitor certification expiry dates — Follow up with vendors before certificates lapse
- Update contact details — Keep contact information current for incident response
- Track contract renewals — Use contract end dates to plan ahead
- Offboard promptly — Move vendors to Offboarded status when relationships end
Related Guides
Section titled “Related Guides”- Vendor Risk Assessment — Assess vendor risk, run DPSIA assessments, and generate reports
- Risk Management — Organisational risk register and 5x5 risk matrix