From compliance automation through audit, the Thoropass compliance delivery platform helps you get and stay compliant.
Modern audits delivered by expert auditors
Maintain compliance with real-time monitoring and alerts
Identify vulnerabilities with CREST-accredited pentest experts
Leverage AI for smarter compliance solutions
Streamline audits and improve accuracy with evidence automation
Simplify user reviews to enhance security
Automate responses to security questionnaires
Track and mitigate security risks in one place
Build trust with a professional, public-facing portal
Seamlessly connect your tools for streamlined compliance
Audits done the modern way. Leverage AI-powered compliance solutions with expert guidance for seamless, scalable audits.
From controls to audit, rapidly achieve infosec compliance with a single vendor
Manage your risk and streamline compliance
Meet your auditor on day 1 and eliminate any surprises
Discover proven compliance outcomes in the words of our customers.
Catch up on the latest industry trends and expert insights
Watch the latest webinar or meet us in person
Expert-curated resources for your compliance journey
A "true crime" styled podcast for anyone in the compliance industry
Actionable tools for your compliance journey
Implement audit-ready compliance solutions for friction-free infosec compliance outcomes.
Go beyond readiness with unmatched expertise
Stay updated with the latest Thoropass news and insights
Join the team that's reimagining compliance
Let's make compliance easier—together
We're committed to unbiased audits and superior service
Vendor due diligence is essential in mitigating risks and securing your business operations. With mounting regulatory demands and shifting market conditions, understanding how to assess vendor risks and compliance is more critical than ever.
This blog post is your starting point for integrating due diligence into your business practice, offering strategies without disclosing specific checklist items too early.
Vendor Due Diligence (VDD) forms the basis of a secure vendor selection process. It helps you assess third-party vendors in terms of:
This process provides a solid foundation for informed decision-making, effective risk management, and enhanced operational efficiency (including business continuity).
The due diligence process primarily includes regulatory compliance assessments and, depending on the situation and your organization’s risk appetite, may also include:
Together, these steps are crucial for an unbiased analysis of a particular vendor. Conducting thorough due diligence safeguards will help your organization uncover hidden risks and preserve your reputation. After all, your vendors’ actions could significantly impact your company’s reputation.
The scope of vendor due diligence process continues to evolve, adapting to the ever-changing business landscape.
For example, one critical development is the incorporation of Environmental, Social, and Governance (ESG) considerations into vendor due diligence. ESG factors have become a significant part of vendor risk assessments, as they can impact operational, regulatory, and reputational factors. From managing natural resources to observing ethical labor practices, these factors can significantly influence a vendor’s reputation and operational efficiency.
Another crucial expansion of vendor due diligence is data protection. With regulations like GDPR, HIPAA, and CCPA becoming more stringent, businesses are emphasizing vendor due diligence to guard against breaches involving Personal Health Information (PHI) and Personally Identifiable Information (PII).
As the landscape of vendor risk management continues to evolve, it is incumbent upon organizations to similarly evolve their approach to vendor due diligence to keep pace with these changes.
Conducting vendor due diligence has a variety of approaches. Depending on your internal expertise, resources, and risk priorities, you can opt for in-house, outsourced, or hybrid strategies for vendor due diligence.
In-house vendor due diligence allows you to verify the vendor’s claims directly; identifying unethical practices and verifying regulatory compliance. On the other hand, outsourcing the process leverages external expertise, freeing up your internal resources to focus on risk mitigation.
Hybrid strategies offer the best of both worlds, combining in-house, shared, and outsourced methods for a comprehensive risk management program. This approach ensures a tailored and robust risk management plan that suits your organization’s unique needs.
Vendor risk is just one piece of the puzzle. See how you can build a cohesive compliance and risk strategy.
Vendor due diligence is a key step in your procurement process. It is done at the start of a new vendor relationship, and continually, as an ongoing best practice:
A vendor due diligence questionnaire should include:
This checklist guides the sales process of conducting comprehensive and consistent evaluations of prospective vendors and understanding any inherent risk in working with these organizations.
Financial due diligence forms another crucial part of the checklist. It involves reviewing the vendor’s financial information, including:
This is done to assess their financial stability. Publicly traded companies should be monitored through quarterly filings, while private companies should regularly provide financial reports for ongoing financial transparency.
Lastly, the checklist should also include:
Adopting a risk-based approach is a critical component of effective vendor due diligence. This involves assessing the types and severity of risks posed by vendors prior to selection and onboarding.
To facilitate this, effective vendor relationships can be categorized into tiers, with more resources and efforts focused on high-risk vendors. This ensures that the greatest potential harm to the business is addressed first, aided by the use of vendor risk intelligence networks.
In addition to the items listed in the previous section, robust due diligence for high-risk vendors can include:
Continuous monitoring and open communication between relevant internal stakeholders, such as procurement, legal, and IT departments, are also crucial for consistency in adopting and adapting a risk-based due diligence approach.
As already mentioned, it’s essential to extend the process of managing vendor risks beyond initial due diligence. Continuous monitoring is a strategic discipline that ensures vendors meet performance expectations and that potential risks are proactively identified and mitigated.
Monitoring techniques may include:
Disaster recovery plans, employee training protocols, and due diligence conducted on subcontractors should also be part of operational risk assessments.
Real-time risk intelligence plays a crucial role in risk management. For instance, a technology company that proactively monitors vendor cybersecurity may be able to avoid a data breach, illustrating the value of real-time risk intelligence in better risk management outcomes.
Automated third-party risk management platforms can streamline vendor due diligence processes, as they offer:
Moreover, an automated vendor management program offers the following benefits in terms of vendor risk management:
Thoropass can help! With our thorough risk assessment, fast certifications, and automated workflow audits, we strive to make staying within compliance as easy as possible. Speak to a member of our team today to learn more or request your demo.
Adequate due diligence plays a crucial role in assessing third-party vendors, ensuring informed decision-making, risk management, compliance, and operational efficiency. From understanding the expanding scope of vendor due diligence requirements to leveraging technology and automation, organizations can better equip themselves to navigate the challenges of vendor due diligence and reap the benefits of effective vendor management.
So, as you continue to grow and onboard new vendors, remember that the due diligence process is not a mere formality. It’s a critical tool that safeguards your organization’s reputation, financial stability, and operational efficiency. Embrace the process, leverage technology, and stay ahead of potential risk.
When performing due diligence on vendors, consider six core areas: General company information, financial review, reputational risk, insurance, information security technical review, and policy review. This will ensure a thorough vetting process.
Vendor due diligence, such as Vendor Due Diligence (VDD), is important as it enables informed decision-making, effective risk management, compliance, and operational efficiency when assessing third-party vendors.
In recent years, the scope of vendor due diligence has expanded to encompass Environmental, Social, and Governance (ESG) factors, complex supply chains, data protection regulations, and broader aspects like manufacturing and business continuity. This expansion reflects the evolving landscape of vendor risk management.
Buyer due diligence happens when a potential buyer investigates a company or asset they’re interested in purchasing. It’s all about assessing risks, opportunities, and potential benefits from the buyer’s perspective. On the flip side, vendor due diligence is done by the seller before putting their business or asset up for sale. It’s about preparing the company for sale by addressing any issues upfront and providing comprehensive information to potential buyers.
Timing-wise, buyer due diligence comes after expressing interest, while vendor due diligence happens before the sale. In terms of control, buyers lead their due diligence, while sellers take charge of vendor due diligence. Despite these differences, both processes are crucial for smoothing out the sale process and ensuring informed decisions on both sides.
Note: This post was originally published in June 2022 and first updated on May 4, 2024. It has since been updated, revised, and reviewed by internal experts
Oro provides content designed to educate and help audiences on their compliance journey.
Recommended for you
How do you use your SOC 2 report to unlock growth for your company, accelerate deals and open new markets? Read this guide to find out.
Imagine a world where you could confidently assess the security risks of your third-party vendors, ensuring the safety of your sensitive data and protecting your organization’s reputation. Sounds perfect, right?
When working with a new third-party vendor, it’s important to identify any risk that may arise. However, when working with multiple companies across industries, it can be difficult to keep up to date with industry security and compliance standards.
Luckily, there is an easy way to build, customize, analyze, and store vendor assessments of third-party vendors and manage risk. This is done through the Standardized Information Gathering (SIG) questionnaire.
The SIG is a shared assessments questionnaire that allows organizations to build, customize, analyze, and store vendor assessments for managing third-party risk. The SIG is published yearly by a non-profit called Shared Assessments.
Even though this precaution has been around for years, this practice hasn’t been stagnant. Shared Assessments conducts annual reviews of the SIG questionnaire to determine if changes are needed to address gaps. Because Shared Assessments updates the SIG every year, your brand will need to conduct similar assessments of your vendors to stay in compliance.
The SIG questionnaire, created by Shared Assessments, is a powerful tool that allows organizations to assess third-party risk across 19 domains. They are:
With the ever-evolving landscape of regulations and privacy challenges, the 2023 SIG questionnaire is updated to address the implementation of:
Understand the inherent risks of using third parties and perform adequate due diligence activities to minimize these risks.
The SIG was designed to be a comprehensive assessment tool for multiple industries. Its comprehensive design allows for a wide variety of uses:
Each of these organizations may have a different requirement for the tasks and decisions needed to configure and implement the SIG into their programs. Additionally, two different types of SIG assessments can be used.
The SIG questionnaire comes in two flavors: Core and Lite. Both versions are designed to help organizations assess and manage third-party risks effectively, but they serve different purposes depending on the level of assessment required.
These two assessments offer the same risk assessment, but as the names consider, one goes deeper than the other. Let’s break down the differences.
The SIG Core questionnaire is detailed and designed to assess third parties or vendors that store and/or manage sensitive, regulated data. The goal is to provide a deep level of understanding of how these third parties secure information and incorporate extensive language on privacy and compliance regulations. The SIG Core is the larger of the two questionnaires, clocking in at 855 questions targeting 19 risk domains. The multitude of questions makes it easy for security teams to pick and choose their vendors for their ideal partner.
Recent updates to the SIG Core for 2023 include:
The SIG Core questionnaire is a comprehensive tool with 855 questions covering 19 risk controls, making it suitable for assessing third parties handling sensitive or regulated information. By providing a more detailed analysis of a third party’s security practices, the SIG Core questionnaire ensures compliance with various legal requirements and industry best practices for protecting personal data.
Furthermore, the ability to tailor the questions for each vendor enables organizations to obtain the specific information they need for an effective third-party risk assessment.
In contrast, the SIG Lite questionnaire is designed to give users a broader understanding of a third party’s internal information and security controls. This questionnaire offers a basic level of assessment due diligence with only about 126 questions. It’s common to use the SIG Lite as a preliminary assessment of a vendor before bringing in the SIG Core for a more extensive evaluation.
Recent updates to the SIG Lite 2023 include:
Both the SIG Core and SIG Lite can be purchased from Shared Assessments or can be licensed for use in applications. If your organization has questions about how to remain in SIG compliance, you can work with a team of compliance professionals to ensure you’re aware of all vendor risks.
SIG Lite is a shorter questionnaire consisting of approximately 126 questions that provide a high-level overview of a third party’s internal security controls. This condensed version is perfect for organizations looking for a quick yet insightful assessment of a vendor’s security posture.
The SIG Lite questionnaire can be completed faster than the Core version, saving time on due diligence without compromising the evaluation of a vendor’s security practices.
Implementing the SIG questionnaire at your organization involves a few crucial steps, including:
By following these steps, organizations can ensure they are working with secure and trustworthy vendors while minimizing the risk of security breaches and other potential issues.
Organizations should take the time to thoroughly assess vendor candidates and map their security controls to compliance.
The vendor assessment process involves sending the SIG questionnaire to potential vendors, evaluating their responses, and determining their risk posture. This process is essential for organizations to ensure they are working with secure and trustworthy vendors, as well as identifying and mitigating any potential risks associated with third-party relationships.
By continuously monitoring and reviewing vendor assessments, organizations can proactively address potential risks and maintain a secure supply chain.
The SIG questionnaire not only helps organizations assess the security risks of their vendors but also assists in mapping vendor security controls to various compliance requirements. By providing a comprehensive set of questions that cover a wide range of security topics, the SIG questionnaire simplifies the process of ensuring vendor compliance with relevant regulations and industry standards including SOC 2, ISO 27001, and NIST.
This comprehensive approach to vendor risk assessment enables organizations to make informed decisions about their third-party relationships while minimizing potential security risks.
Take your compliance one step further and manage multiple audits and assessments with ease. Thoropass provides a complete compliance platform with scalable workflows and fast, effective, comprehensive audits. Request a demo today to learn how to use one vendor for all your infosec compliance needs.
A SIG questionnaire is a security assessment tool used to gain insights into a vendor’s risk posture by asking them standard questions about their security policies and procedures.
These questions can help identify areas of risk and potential vulnerabilities that may need to be addressed. They can also provide valuable information about the vendor’s security posture and how it compares to industry standards.
Standardized Information Gathering (SIG) is a security assessment questionnaire developed by the Shared Assessments nonprofit which seeks to manage third-party risk assessments and create a standardized vendor risk assessment questionnaire indexing it to many regulatory standards.
The questionnaire is designed to help organizations assess the security posture of their vendors and third-party service providers. It is a comprehensive set of questions that cover a wide range of security topics, including physical security, data security, and incident response. The questionnaire is designed to be used as a baseline for assessing the security posture.
The SIG Core questionnaire consists of 850 questions covering all 19 risk controls:
SIG LITE questionnaire is a simpler version of the larger SIG assessment, taking its high-level concepts and questions but distilling them down to fewer questions. It is beneficial for vendors with less inherent risk.
Security ratings make third-party risk management more effective by offering continuous monitoring of vendors and creating a common language for stakeholders, making data from questionnaires easier to interpret. This helps to ensure that all stakeholders are on the same page when it comes to assessing risk and making decisions. It also makes it easier to identify potential issues and take corrective action quickly. Overall, security ratings provide a valuable tool for organizations to better manage their security.
Read more from CISO Jay Trinckes on how we approach third-party risk management at Thoropass.
We’re happy to join Feathery in announcing their SOC 2 Type 1 compliance! The team worked late hours and hard deadlines to ensure the product was secure for customers. Laika is happy to partner with Feathery to monitor their security posture on an ongoing basis.
Companies and product teams, especially in sensitive industries, use Feathery to build forms and place a significant level of trust in the solution with form data. Achieving SOC 2 Type I compliance is Feathery’s reciprocation of trust and demonstrating a high level of commitment to the proper handling of form data.
“Becoming SOC 2 Type 1 compliant increased customer trust when speaking to prospective customers who care about data security and privacy,” said Peter Dun, Feathery’s founder and CEO.
As a form-building platform handling customer data for companies in highly-regulated spaces like fintech and insurance, Feathery knew SOC 2 compliance was table stakes. What they didn’t anticipate, however, was just how much of a priority it would be for early customers.
In fact, Feathery’s very first customer, a fast-growing fintech startup offering auto refinancing, asked for a SOC 2 report during the first call. Working with Laika allowed the team to quickly and easily achieve SOC 2 compliance.
“Feathery prioritized their customers’ trust and earned a SOC 2 report at an accelerated pace, without sacrificing quality,” said Vince Loncto, CSM at Laika. “We enjoyed partnering with the team on their compliance journey and we look forward to watching the product empower SaaS solutions.”
Feathery executed SOC 2 Type 1 through Laika’s integrated audit feature with Laika Compliance, LLC. The product is currently in beta to exclusive customers.
Feathery is a low-code platform that helps product teams build best-in-class forms for sign up, onboarding, and more. We’re currently in private beta and working directly with startups that need help building and launching these types of forms.
If you’re a Feathery customer looking for a copy of the SOC 2 report, please reach out to [email protected].
If you’ve ever sold into an enterprise business, you know the pain of the procurement process.
When we speak to companies tackling the compliance process for the first time, we find that many businesses pursue certifications after requests from their customers and partners. Whether you get stuck answering security questionnaires, or don’t have a shining SOC 2 report to share, businesses eventually need to demonstrate their security postures to bring in new business.
That’s where the enterprise procurement process comes in.
In short, enterprise procurement involves a series of processes through which large institutions identify, evaluate, and purchase critical vendor services.
There are a series of steps in the procurement process that enterprises follow. While we’re not going to touch on all of them here, we will focus on the significant impact of your compliance certifications. Our experts know how enterprise companies evaluate vendor services and we’ll point out how to navigate the procurement process.
Let’s start this story at the beginning.
Picture it: the year is 2012. Big banks outsource technology and operations to third-party vendors for ease of use and efficiency. The downfall? Little to zero oversight into vendor security processes, resulting in breaches, and at worst, unavailability of services to the market. In the wake of multiple data-related incidents, the financial industry started the push toward SOC 2 compliance by 2013.
Our co-founder, Eva Pittas, worked at Citigroup at the time and managed the response to regulators. Over time, the regulations imposed by banks onto their vendors and partners set the benchmark across industries.
The proliferation of solutions through digital banks turned the industry toward automation. Consultants began to assist with demonstrating compliance. However, the lack of quality solutions pairing expertise and automation are far and few between. This is why Eva cofounded Laika with Sam Li and Austin Ogilvie.
When enterprises identify a need to fulfill a service, they face the “build it or buy it” conundrum. More often than not, they pick “buy.”
Based on the need, the business researches vendors to satisfy requirements, and begin the evaluation process. In an ideal situation, the vendors are ranked according to the risk associated with the need.
For example, if a bank needs to obtain a vendor to process loans, it’s a highly critical process. In turn, the vendor ensures a secure process through appropriate compliance. We’re referring to this process as “risk ranking.”
Enterprises review multiple vendors to determine which is the best and safest offering. The procurement team examines features, functionality, cost, security, and compliance controls. This team involves compliance and risk management, legal, and even an independent procurement team to move the process forward.
Based on the risk rating, the company determines expectations around uptime, SLAs, and the criticality of the need. If the process is a low criticality, vendors can expect fewer requirements, but for high criticality needs, the requirements are more stringent and may involve a long assessment period, similar to that of an audit.
It’s likely that your company fields security questionnaires during the procurement process, which are usually used as the first line of evaluation by the enterprise. These questionnaires can be hundreds of questions long and are intended to assess your current security posture, among other features of your business.
These questionnaires examine the controls in place to protect the operations of your business. As we know, each SOC 2 or ISO 27001 or any compliance framework should be unique. Enterprise buyers need to see that you have taken steps to implement processes to ensure the availability of services and the integrity of data processing.
Once you pass this initial inspection by the procurement team, they’ll dig into specifics.
Vendors execute risk assessments at least annually or with significant changes to operations or the business. This should be a core part of a vendor management process.
Like risk assessments conducted for ISO 27001 or SOC 2, the assessment should speak to remediated risks and identify areas for improvement, as well as a path to improvement. You can work with the buyer to understand key controls that can improve your product or service. This shouldn’t be considered a make-or-break, but a building block to growth.
Regulated industry risks increase over time. These assessments should be the first step to examining the impact a delay or break in service could impact the business and its consumers.
If your business provides a highly critical service, you should expect an annual audit by the enterprise, on top of whatever compliance frameworks you need to keep up-to-date. Some enterprises may ask to visit your offices or facilities to perform an in-person audit.
This audit can seriously impact your reputation. During Eva’s time at Citibank, big banks commonly leveraged a particular vendor to perform a critical task. One of the banks examined the vendor’s compliance and security posture and found noncompliance. As a result, the CEO rang the alarm to rival banks and warned them about this vendor’s noncompliance.
Ultimately, this move protected consumers, and effectively ruined the reputation of the vendor.
Most of our customers experience high growth rates after implementing a compliance framework. Our team helps prepare for their first round of procurement by focusing on what enterprise buyers expect in robust compliance postures.
As we preach, not all compliance implementation and audits are created equal. Yours should be unique to your business offering. This means the quality of your audit report weighs heavily on any due diligence process.
When you are selling a service to other businesses, the industry expects you to grow and improve your offering over time. Your compliance program should reflect this.
We work to educate our customers on what types of questions to expect, how to answer security questionnaires with speed and accuracy, and understand how their services may be assessed and audited by buyers.
Laika’s robust library contains answers to hundreds of questions that may appear on a security questionnaire. We store all compliance-related information in one place, for ease of reference. Our compliance architect team executes risk assessments with your growth plans in mind.
For more information on how enterprise buyers read a SOC 2 report, check out our post here.
