Vendor Management

The Vendor Management module provides a centralised registry for tracking all third-party vendors your organisation works with. Register vendors, track their lifecycle from prospect to offboarding, manage certifications, and maintain a complete record of contact and contract details.

Accessing Vendor Management

Navigate to Vendor Inventory under the Risk & Third Party section in the sidebar. This opens the Vendor Registry — your central hub for all vendor-related activities.

The Vendor Registry

The registry is a filterable table showing all registered vendors for your organisation.

Filters

Use the filter bar at the top to narrow the list:

Filter	Options
Search	Filter by vendor name
Status	All / Prospect / Active / Inactive / Archived
Criticality	All / Low / Medium / High / Critical
Category	Dynamically populated from your vendors (e.g., Cloud Provider, SaaS, Consultancy)

Table Columns

Column	Description
Name	Vendor name (click to open detail page)
Category	Vendor type or classification
Status	Current lifecycle status (colour-coded badge)
Criticality	Business criticality level (colour-coded badge)
Risk Score	Calculated risk score (if assessed)
Contract End Date	When the current contract expires
Contact	Primary contact person

Adding a Vendor

1. Click the Add Vendor button in the registry header
2. Complete the modal form with the vendor’s details
3. Click Save to create the vendor record

Form Fields

Field	Required	Description
Vendor Name	Yes	The vendor’s trading name
Description	No	Brief description of what the vendor provides
Website	No	Vendor’s website URL
Category	No	Classification (e.g., Cloud Provider, SaaS, Consultancy)
Status	Yes	Initial lifecycle status
Criticality	Yes	Business criticality level
Data Classification	No	Sensitivity of data shared with this vendor
Contact Name	No	Primary contact person
Contact Email	No	Contact email address
Contact Phone	No	Contact phone number
Contract Start Date	No	When the contract begins
Contract End Date	No	When the contract expires
Contract Value	No	Annual contract value in GBP

Note

The platform detects duplicate vendor names. If you attempt to add a vendor with a name that already exists, you’ll receive an error — use the existing record instead.

Editing a Vendor

1. Click a vendor row to open the Vendor Detail page
2. Click Edit Vendor to open the edit modal
3. Update the fields as needed
4. Click Save to apply changes

All fields from the add form can be updated, including status and criticality. Changes take effect immediately.

Vendor Status Lifecycle

Vendors progress through a defined lifecycle. Set the status to reflect where each vendor is in your relationship:

Status	Description	Typical Use
Prospect	Vendor under initial consideration	Pre-contract evaluation
Active	Vendor currently providing services	Normal operations
Under Review	Vendor being reassessed	Periodic review or incident-triggered
Approved	Vendor has passed assessment and is cleared	Post-assessment approval
Suspended	Vendor services temporarily halted	Pending investigation or remediation
Offboarded	Vendor relationship terminated	Contract ended or vendor replaced

Lifecycle Best Practice

Start vendors as Prospect during evaluation, move to Active when contracted, and use Under Review for periodic reassessments. Reserve Suspended for situations requiring immediate action.

Vendor Criticality Levels

Criticality reflects how important the vendor is to your business operations:

Level	Description	Example
Low	Minimal business impact if vendor is unavailable	Office supply providers
Medium	Some disruption but workarounds exist	Non-essential SaaS tools
High	Significant impact on operations	Core business applications
Critical	Business cannot function without this vendor	Cloud infrastructure, primary data processors

Setting the correct criticality level helps prioritise risk assessments and determines the depth of due diligence required.

Data Classification

Data classification indicates the sensitivity of information shared with or processed by the vendor. Set this based on the highest sensitivity level of data the vendor handles:

• Public — Non-sensitive, publicly available information
• Internal — Internal business data, not for public release
• Confidential — Sensitive business or personal data
• Restricted — Highly sensitive data (PII, financial, health records)

This classification feeds into the risk scoring algorithm, so it’s important to set it accurately.

Subscription Tier Limits

Note

The number of vendors you can register depends on your subscription tier:

Tier	Maximum Vendors
Free	5
Professional	100
Enterprise	999

If you reach your tier limit, you’ll need to upgrade or offboard existing vendors before adding new ones.

The Vendor Detail Page

Click any vendor row to open the Vendor Detail page. This is the primary working area for an individual vendor.

Persistent Header

The header is always visible regardless of which tab you are on. It displays:

• Vendor name — the vendor’s trading name
• Status badge — colour-coded lifecycle status
• Criticality badge — colour-coded business criticality level
• Risk score badge — calculated risk score (if assessed)
• Edit Vendor button — opens the edit modal
• Delete Vendor button — removes the vendor record

Tab Layout

The detail page is organised into three tabs that group related information by workflow stage.

---

Tab 1: Overview

The Overview tab provides a snapshot of the vendor’s core details, certifications, and assessment history.

Vendor Details card Displays the vendor’s description, website, category, and data classification.

Contact card Shows the primary contact name, email address, and phone number.

Contract card Shows the contract start date, end date, and contract value in GBP.

Certifications table Lists all tracked certifications with the following columns:

Column	Description
Certification Name	e.g., ISO 27001:2022, SOC 2 Type II
Certification Body	The issuing organisation
Status	Valid, Expired, Revoked, or Pending
Issue Date	When the certificate was granted
Expiry Date	When it expires
Certificate Number	Reference number (if available)

Assessment History table Shows a historical record of all assessments performed on this vendor:

Column	Description
Type	Assessment type (e.g., DPSIA)
Date	When the assessment was conducted
Status	Assessment status
C / I / A Scores	Confidentiality, Integrity, and Availability scores
Risk Rating	Overall risk rating from the assessment
Assessor	Person who conducted the assessment

---

Tab 2: Assessment

The Assessment tab is where you conduct and review vendor security assessments. For full details on assessment workflows, see the Vendor Risk Assessment guide.

DPSIA Assessment The primary assessment action. Launch an AI-powered Data Protection Security Impact Assessment that evaluates the vendor across confidentiality, integrity, and availability dimensions. The DPSIA generates a structured risk profile based on vendor data, certifications, and automated security research.

CIA Control Breakdown Granular control-level scores across Confidentiality, Integrity, and Availability. Each control is scored individually, giving you visibility into specific strengths and weaknesses in the vendor’s security posture.

Claim Verification Cross-references the vendor’s self-reported claims (certifications, compliance statements, security measures) against available evidence. Highlights discrepancies between what the vendor states and what can be verified.

---

Tab 3: Results & Actions

The Results & Actions tab captures the outputs of assessments and tracks remediation activities.

Action Items Remediation tasks generated from assessments or added manually. Each action item tracks:

• Priority level
• Assigned owner
• Deadline
• Current status

Compensating Controls Where gaps are identified, compensating controls describe the gap and the mitigation measures your organisation has put in place to address the risk. Each entry includes a gap description and the corresponding compensating control.

Reports Generated vendor assessment reports with options to export (PDF) or share. Reports consolidate the assessment results, risk scores, action items, and compensating controls into a single document.

Managing Certifications

Track your vendors’ security certifications to understand their compliance posture.

Adding a Certification

1. Navigate to the Certifications table on the Overview tab of the Vendor Detail page
2. Click Add Certification
3. Enter the certification details:
   • Certification Name — e.g., ISO 27001:2022, SOC 2 Type II, PCI DSS
   • Certification Body — The issuing organisation
   • Status — Valid, Expired, Revoked, or Pending
   • Issue Date — When the certificate was granted
   • Expiry Date — When it expires
   • Certificate Number — Reference number (if available)
4. Click Save

Certification Statuses

Status	Description
Valid	Current and active certification
Expired	Certification has passed its expiry date
Revoked	Certification withdrawn by the issuing body
Pending	Certification application in progress

Tip

Valid certifications reduce a vendor’s risk score. Each valid certification contributes to the certification factor in the 5-factor risk scoring model — having three or more valid certifications gives the maximum benefit.

Best Practices

Initial Setup

1. Register all existing vendors — Start by adding your current third-party relationships
2. Set criticality levels accurately — This drives assessment prioritisation
3. Add contract dates — Enables proactive contract renewal tracking
4. Record certifications — Capture any known certifications upfront

Ongoing Maintenance

1. Review vendor statuses quarterly — Ensure statuses reflect reality
2. Monitor certification expiry dates — Follow up with vendors before certificates lapse
3. Update contact details — Keep contact information current for incident response
4. Track contract renewals — Use contract end dates to plan ahead
5. Offboard promptly — Move vendors to Offboarded status when relationships end

Related Guides

• Vendor Risk Assessment — Assess vendor risk, run DPSIA assessments, and generate reports
• Risk Management — Organisational risk register and 5x5 risk matrix