Third Party Vendor Product Assessment: Overview and How-To

Owned by Laura McWilliams
Last updated: Apr 30, 2024
6 min read

This information is for superusers, assessment managers, and vendor requestors.

Overview

Third-party vendor product risk assessment helps you to identify and manage risks associated with products or services provided by external suppliers. It ensures that potential vulnerabilities, security issues, and compliance concerns are addressed, safeguarding your organization's operations, data, and reputation. This type of assessment can also help you to meet regulatory requirements and industry standards, enhancing supply chain security.

Many Isora GRC customers use these types of assessments as part of their procurement process for acquiring new products.

Third-Party Vendor Product Assessment is one of the three assessment methodologies provided by Isora GRC. You can use it to create a single survey about a single product, and the survey can be accessed externally (that is, the survey participant(s) do not need to log into Isora GRC to respond).

How to Assess a Third-Party Vendor Product

To create a new third-party vendor product assessment, complete these steps.

Prerequisites: You need at least one unit, a series targeting vendors, and a questionnaire template targeting vendors.

There is currently no way to save your progress in the middle of the wizard. If you exit the wizard without completing it, your progress will be lost.

  1. On the Assessments page, click New Assessment in the upper right-hand corner. (Note that it doesn’t matter which tab you are currently on when you click this button.)

    2024-04-30_11-39-05.png

  2. On the New Assessment dialog, choose Third-Party Vendor.

    2024-04-30_11-52-36.png

  3. Expand a vendor name to choose an existing product under it, or click + Add New Product.

  4. If you need to add a new product, you can select an existing vendor name or type in a new one. Then type in a product name (then click Select) and choose a vertical.

  5. After completing all fields, click Create Product. A new product entry will be created in Isora GRC’s inventory.

  6. If you chose an existing product that was previously assessed, you’ll see a list of past assessments to choose from. If you choose one of those, a number of choices will be automatically filled in for you in the wizard, expediting the process.

     

  7. If you just created the product, then there won’t be any past assessments to choose from, so you just click Next Step.

  8. The next step is Intake. This is where you must specify a deployment for the product. If it was previously deployed, then you can choose an existing one. If not, you’ll need to create one. This is meant to keep track of which unit is actually using or managing the product. If you are assessing the product as part of the procurement process, typically the deploying unit would be the unit that’s requesting to purchase the product. (See also: https://saltycloud.atlassian.net/wiki/spaces/TES/pages/2083520516 )


    For a new product, click Add Deployment.

  9. Fill in the fields and click Create Deployment. Note that there are some optional fields that don’t display by default, so click Display Optional Fields if you want to fill those in now. You can also add that information to the deployment later. (Note: if you don’t know the right option to choose for any of the required fields, take your best guess. All of the fields can be updated later.)

  10. The deployment you just created is selected. Click Next Step.

  11. On the Details step of the wizard, give the assessment a name, assign it to a series, assign a due date, and choose instructions to include. Try to allow enough time that your vendor representative can realistically complete the assessment.

  12. There are default instructions installed on your instance of Isora GRC, but you may want to create a specific template to use for vendor assessments. You can edit the existing instructions and optionally save them as a new template using the three dots in the upper right-hand corner. You may consider updating the instructions (without saving as a new template) to personalize the instructions for that vendor as well. These instructions will appear at the top of the survey that gets created when you create the assessment.

  13. Once all fields are completed to your satisfaction, click Next Step.

  14. The next step is to choose a questionnaire template. You need to already have at least one questionnaire template that targets vendors in order to complete this step. Choose one, then click Next Step.

    (See also: https://saltycloud.atlassian.net/wiki/spaces/TES/pages/2072346627 )

  15. The last step of the wizard presents a summary of everything you have done so far. It’s possible at this point to make changes if you mouse over the right-hand side of a field you want to change, and click the pencil. Otherwise, click Publish to save the assessment without launching (you can launch it later, but you won’t be able to make edits), or Launch to make the survey available for completion.

  16. Upon launching, an access link is shown. Click the boxes next to it to copy it to your clipboard. You can then email the link to your vendor representative to ask them to fill it out.

     

If you lose track of the survey link and you need to find it again, you find it again on the Assessments page.

  1. Go to the Third-Parties tab and expand the target Series.

  2. Locate the name of the product and expand it. Locate the assessment you’re looking for and click the access link to copy it to your clipboard.

    In the future, it will be possible to search for assessments by name and other characteristics. At present, on this page you can only search by the series name.