With Drata, you can efficiently conduct security reviews for your vendors directly from their profile's Security Reviews tab. You can also set-up automated reminder emails and schedule questionnaires based on your vendor’s review cadence.
Overview of security review statuses
On the Current tab of the Vendors page, there is a table that showcases all of the current vendors. Here, you have an overview of important information about the vendors. The two columns: Security review status and Next review deadline showcases the state or status of the vendors. You can also filter based on these status.
Security review status column overview:
Security Review Status | Definition | Recurring review status |
Up-to-date | Vendors have completed a review within 90 days of their most recent deadline. | Enabled |
Needs review | Vendor’s review window start date has commenced and no security reviews are in-progress. | Enabled |
In progress | Vendor has a review that is in progress | Enabled or Disabled |
Completed | Vendor has completed a review for their vendor and does not have Recurring reviews enabled. | Disabled |
No past reviews | Vendor has no past reviews. | Enabled or Disabled |
Next review deadline column overview:
Next Review Deadline Status | Definition |
Due Soon | Vendor has a review deadline within 7 days |
Overdue | Vendor’s review deadline has passed |
Deadline not set | Vendor does not have Recurring reviews enabled |
Automate reminder emails for your vendors
After sending out a questionnaire, you can schedule reminder emails to be automatically sent to your vendors, prompting them to complete their questionnaires.
Go to the Vendors page and navigate to the Settings tab.
Scroll down to the Questionnaires section and toggle on Follow-up reminders.
Select the Edit icon to customize when and how often reminder emails should be sent.
Schedule questionnaires for your vendors
For vendors with recurring reviews, you can set up a schedule to automatically send them your questionnaires.
Go to the Vendors page and navigate to the Settings tab.
Go to the Recurring reviews section, select the edit icon to update the amount of days prior to a deadline that you’d like your vendors’ review windows to begin.
The default will be 30 days. Any scheduled questionnaires will send on the vendor’s review window start date.
Go back to the Current tab and select the vendor you’d like to automatically schedule a questionnaire.
Select Manage recurring reviews.
Enable Recurring reviews and then update the Review frequency.
Enable Scheduled questionnaires and Cchoose the questionnaires you’d like to send to your vendor on their next review window. Add the Vendor contact email you would like to send the questionnaire to. View the Review start date and Review deadline.
Save.
Start a Security Review
Navigate to the Vendors page.
Select the desired vendor.
Go to the Security reviews tab to view past reviews, including SOC reviews.
Select New review. You can choose to start a security review, SOC report review, or upload a completed review report.
Create a Security Review
Select Security Review and enter vendor details.
Add relevant files like SOC 2 reports, send questionnaires through Drata, or manually upload responses.
For questionnaires sent and received through Drata, select View to examine the responses.
If enabled, view AI summaries of uploaded questionnaires.
Add final observations and select a security decision: Approve, Approve with Exceptions, or Reject.
Select Mark Review as Complete to view an overview and download the summary for colleagues. Re-open the review if needed.
If your Security Review deadline falls within 90 days of your review completion date, the deadline will be automatically adjusted based on your review frequency, if you have a recurring review frequency set up.
For example, if you complete a review on June 10th with a June 25th deadline and a 6-month review frequency, the new deadline is December 25th (6 months from the original deadline).
Create a SOC Report Review
Select SOC Report Review to begin. Use the vendor’s SOC 2 report for reference and fill out each section according to the guidance here.
You can Save and Close to continue later.
Note: You cannot start a new SOC report review for the vendor until the current review is completed or deleted.
Once completed, select Finish Review.
Upload review report
If you have a review report completed outside of Drata, you can select Upload review report to upload and store it in the vendor’s profile.