top of page

Knowledge Base

Vendor Risk Management - Suppliers


How should third-party suppliers respond to Secure Forte's supplier risk assessments?


Our aim at Secure Forte is to provide our clients and suppliers with a relevant journey. Hence, our question libraries, mitigation strategies, risk assessment and communications, etc., would be generated according to the supplier’s context and impact on the client’s data and operational continuity.


Once the client submits a new supplier assessment, the platform will assign and communicate the assessment questionnaire with the supplier’s contact point, which is defined by the customer in the Secure Forte portal. If you are not the best person to respond to due diligence assessments, you can add someone else from your organisation to respond to the assessment questionnaires.


To assign the assessment questionnaire to other members of your organisation, browse to the Home page, under the Assessments section, and click on the Assessment Team. In the Assessment Team box, select “The following individual will respond to the assessment” and include their contact details. The platform will then create their credentials and communicate with the nominated individuals so they can set up their two-factor authentication and access to the portal.


The Assessments sections include the following components:


  • Assessment Team (described above)


  • Suppliers: Please include any third-party suppliers that process your customer’s data or can impact your ability to service the client. To do this, click the Suppliers button, then on the Suppliers page, click the “Add Supplier” button and include the requested information. This information will then be analysed and presented to the customer as their fourth-party supplier.


  • Report: Once the assessment is finalised, you can access the report by clicking the Report button.


  • Issue Management: following the finalisation of a supplier risk assessment, the client may define a set of risk-based mitigation strategies along with expected timeframes for resolving the identified issues. Based on the supplier's responses to each control, the client can take one of three actions: Approve, Reject, or Conditionally Approve.

  • A Rejected issue should be promptly discussed with the client to understand the reason for rejection and identify the steps needed for resolution.

  • A Conditionally Approved status indicates that the client requires further action to be taken. The supplier is expected to address the issue and close it within the stipulated due date.

  • An Approved status confirms that the client has accepted the supplier’s response, and no further action is required for that control.


  • Customer Data: This button will only appear if you are accessing or processing customer data. Please click the Customer Data button and include the regions where you store the customer data.


The items with “Pending” status in the Requested Assessments column are questionnaire libraries the customer assigned to you.


To begin the assessment, click the Continue Assessment button.


Please note that the platform will lead you back to the Home panel whenever you submit an assessment library. You must continue the assessment until the status of all pending assessments is either “Under Review” or “Finalised.”


The Compliance library is the first assessment to appear in the flow.


** Note: There may be areas in the Compliance library where you are already certified or independently attested by qualified audit firms. In this case, a new box will appear, allowing you to receive “Defined” or 3/5 compared with the ISACA CMMI framework. By agreeing to this option, you can skip responding to assessment libraries listed in this box.


** Note: The assessment questionnaires are scenario-based, and each scenario is supported by its associated evidence. By submitting the assessment, you agree that you can demonstrate the evidence suggested by the platform to the client or their dedicated auditors.


The platform offers two types of assessments: Autopilot and Auditor-Driven modes.


  • Autopilot: Once the supplier submits the assessment libraries, the platform finalises the assessment and generates the associated reports.


  • Auditor-Driven: a dedicated auditor will work closely with the supplier to review the evidence of control implementation and finalise the assessment.

Vendor Risk Management - Self-Assessment on Behalf of a Supplier


What is Self-Assessment?


In certain cases, a supplier may be unable or unwilling to participate directly in the risk assessment process. While direct supplier engagement is the preferred approach, the platform allows clients to initiate and complete an assessment on behalf of the supplier if necessary.


How to perform Self-Assessment on behalf of a supplier?


To conduct a self-assessment on behalf of a supplier, navigate to the Suppliers section and click on the relevant supplier’s name. From there, select "Request Assessment", and tick the checkbox relating to conducting assessment on supplier’s behalf. Following this action, a confirmation pop-up will appear, allowing the user to proceed with the assessment.


Uploading Recognised Reports/Certifications


During this process, the user will be prompted to upload any available attestation reports or certifications related to the supplier’s operational environment. The platform currently recognises the following internationally accepted standards and frameworks:


  • Information Security: ISO/IEC 27001, NIST Cybersecurity Framework, Australian Government Information Security Manual, ENISA National Capabilities Assessment Framework, HITRUST Cybersecurity Framework, United Kingdom’s NCSC – Cyber Assessment Framework, New Zealand Protective Security Requirements, Cloud Security Alliance (CSA) Star Level 2, AICPA SOC 2 Type 1, AICPA SOC 2 Type 2

  • Data Privacy: ISO/IEC 27701

  • Quality Management: ISO 9001

Automated Scoring Assessment Response


If valid documentation is uploaded for any of the above, the platform will assign a Defined (3/5) rating in line with the ISACA Capability Maturity Model (CMM). For areas where no documentation is uploaded, the assessment will default to an Initial (1/5) rating.


Managing Assessment Responses


Users may review or update responses and supporting documentation at any time by navigating to the Supplier Reports section and clicking Audit Data under the Compliance Assessment panel. This allows clients to refine the assessment based on other evidence of control implementation received from the supplier.

Business Profile


What is the purpose of the Business Profile page?


The Business Profile section is the first step in establishing the organisation’s context for the Secure Forte platform. The platform will use the basic information collected in this section to generate a relevant threat profile for the organisation and its primary assets.


For example, the Resilience Assessment would be uniquely generated based on the organisation’s Business Profile.

Another example is the calculation of risks demonstrated in the Risk dashboard. The information collected in the Business Profile section will be considered to generate an organisational threat profile, which is then used as one of the components in the risk assessment process.


To add or modify the Business Profile section, please browse the Business Profile page, select the Primary Asset for which you would like to include the required information, including industry, country, workforce, data, and legal, regulatory, or contractual obligations, and press the Update and Save button.

bottom of page