A strong vendor risk management process is critical for protecting sensitive information, securing third-party interactions, ensuring compliance with standards (such as ISO 27001 and SOC 2), and mitigating risks associated with third-party services.
Creating your vendor list in Secfix
It is not necessary to consider every vendor; instead, use the following criteria:
Key vendor categories:
Software and hardware suppliers: Vendors providing IT infrastructure (operating systems, databases, networking equipment, security appliances) that impact information security.
IT service providers: Vendors offering services like cloud storage, hosting, IT support, and SaaS platforms with access to critical IT environments.
Outsourced process providers: Vendors performing business processes involving sensitive data (e.g., payroll providers, customer support centers, logistics carriers).
Consultants and contractors: Individuals or firms with privileged system or data access during their work.
Physical security providers: Vendors responsible for physical security measures (e.g., guards, access control systems, surveillance).
Data disposal companies: Vendors managing the disposal of data or hardware, where improper handling can lead to data leakage.
Third-party data processors: Vendors who process or store data on behalf of your organization.
How to add a new vendor into Secfix
There are three different ways through which you can add vendors to Secfix.
1. Discover vendors via SSO connection
Make sure you connected Secfix to your identity provider.
Navigate to Vendors in Secfix.
Click on the Discover vendors tab.
Browse through the list of discovered apps and:
Add vendors that meet the criteria.
Ignore those that do not.
💡 This list is generated based on users logging in with your company’s domain. You can review individual employee access under the People > Access tab.
2. Manually add vendors
Go to Vendors in Secfix.
Click Add vendor (top right corner).
Enter the vendor name.
3. Import vendors via spreadsheet
Go to Vendors on Secfix.
Click Import vendors (top right corner).
Choose from:
Manually enter data
Download template
Upload file
Click Finish to complete the import.
Assign risks to vendors
Once your vendor list is complete, populate it with compliance data to meet audit requirements.
Vendor owner
Assign an owner to each vendor.
If no specific owner is assigned, default ownership should go to the ISMS management leader.
Risk level
Assigning risk levels is fluid; it can be adjusted over time based on the vendor's performance and impact on your business. Here's a general guide to help you:
High risk: Vendors whose service outages over 6 hours critically disrupt operations.
Medium risk: Vendors with a manageable impact (6 hours to 5 days downtime).
Low risk: Vendors impacting non-essential services, manageable even with over a week’s downtime.
Stored data
Auditors expect you to know what types of data are being stored on vendors.
Identify and check the boxes for data types stored by each vendor.
Add a short description of what data is stored.
Services provided
Provide a one-sentence description of the vendor's services.
Website URL
Add the website URL. It's pre-filled if added via the Discover vendors tab.
Privacy policy (optional)
Add the vendor’s public privacy policy URL.
Terms of use URL (optional)
Add the vendor’s public terms of use URL.
Authentication method
Choose between SSO or User/Password.
For SSO, check the MFA box if enabled.
For User/Password, set password complexity requirements.
Vendor's contact method
Pick between email and contact form. Don't worry if you have to pick contact form - auditors just want you to have quick access to support if necessary.
Security and data privacy documents
Mandatory for high-risk vendors. Search for public security documentation or request directly from the vendor’s support.
If a vendor lacks certifications, send them the vendor security questionnaire (available here) and follow up as needed. Document this as a risk scenario if they do not respond in time for your audit.