Table of Contents
Summary
Conducting a vendor assessment helps you evaluate a vendor's security posture and compliance status. This process involves three main steps: collecting relevant sources, reviewing those sources, and finalizing your assessment with findings and recommendations.
π Getting Started
- Navigate to the vendor you want to assess (or create a new vendor profile)
- Select Start Assessment
Customize Your Assessment Name
Whistic automatically names your assessment using the current month and date (example: March 2025 Review). To customize this name:
- Click the pencil icon next to the assessment name header
- Enter your preferred name
- Save your changes
π Step 1: Collect Sources
Your goal is to gather all sources you want included in the assessment. You have three options:
Option 1: Trust Center Capture
Jumpstart your assessment by leveraging AI to gather documents on publicly available Trust Centers:
Option 2: Use Existing Sources
Jumpstart your assessment by using sources you already have:
- Select Select or Upload Sources
- Review the available sources from:
- Trust Center Exchange
- Document Repository
- Previous Assessments
- Previous Requests
- Use filters to refine your selection
- Select Upload Documents to add additional files if needed
Option 3: Request New Sources
If you need additional information from the vendor:
- Request Questionnaires - Send security questionnaires to the vendor
- Request Documents - Request specific documentation (SOC 2 reports, certifications, etc.)
π Step 2: Review Sources
The Review page contains the following sections:
Whistic AI (formerly Copilot)
Let AI assist with your review process automatically.
Assessment Sources
Returned and/or Available for Review These items are ready for your review:
Awaiting Response from Vendor These requests are still pending with the vendor. Available actions:
- Reassign - Transfer to a different team member
- Cancel - Remove the request
- Access Vendor Registration Link - Get the link to share with vendors
β Step 3: Finalize Assessment
Consolidate all findings from your reviewed sources:
Complete Your Assessment:
- Select an Assessment Status - Choose the appropriate final status (required)
- Write an Executive Summary - Provide high-level findings and recommendations
- Catalog Issues - Document any security concerns or gaps identified
- Reference Sources - Note which sources informed your conclusions
πΊοΈ What's Next?
After completing your assessment:
- Return to the Vendor Details page
- View Assessment Folders - Access your newly created assessment
- Use Shortcuts - Quickly manage sources within the assessment
- Archive Assessments - Clean up older assessments as needed
β FAQ
How long does a typical assessment take?
Assessment time varies based on the number of sources and complexity of review. Most assessments can be completed within 1β3 business days.
Can I save my progress and return later?
Yes, your assessment progress is automatically saved. You can return to any step at any time before finalizing.
What happens if a vendor doesn't respond to my requests?
You can reassign requests to other team members, cancel them, or follow up directly with the vendor using the registration link.
Can I modify an assessment after it's finalized?
Once finalized, assessments become read-only. You'll need to create a new assessment to make changes or updates.
What's the difference between using existing sources vs. requesting new ones?
Existing sources let you quickly start reviewing with information you already have. Requesting new sources involves waiting for vendor responses but ensures you have the most current information.
How do I know which sources to include in my assessment?
Include sources that are relevant to your security requirements and the vendor's risk profile. Common sources include SOC 2 reports, security questionnaires, and compliance certifications.