BlogSecurity
October 19, 2023

Getting started with procurement

Written by
Alicia Phan
Enterprise Engineering
Reviewed by
No items found.

Accelerating security solutions for small businesses 

Tagore offers strategic services to small businesses. 

A partnership that can scale 

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

If you’re part of a startup or small company and haven’t thought about procurement just yet, chances are that you should. Procurement is the method by which businesses discover, review, and purchase goods or services from an external source. While larger companies may have dedicated procurement teams, it’s important for small businesses to understand the process and consider their approach to avoid challenges down the line. 

Based on our experiences as a growing company, here are some perspectives and pointers on how to start thinking about procurement — perhaps even before you have a dedicated team. We’ll cover how to build a baseline process, points to look for in the evaluation process, and critical partnerships to help stand up a foundation for your procurement program.

When should I start thinking about SaaS procurement?

If you haven’t already started thinking about SaaS procurement, we encourage you to start as early as possible. This helps avoid situations where your company ends up with a significant amount of tech debt — such as too many tools (or even tools that have overlapping functionality), distributed ownership, or scattered billing on disparate credit cards. 

Worse yet, without a clear process or ownership for SaaS procurement, you could end up with a lack of visibility on security and legal reviews that could put your business in potential violation of service agreements. 

How do I get started with procurement?

First, it’s important to align your internal stakeholders, especially your Finance, Legal, and Security teams. To help create an internal procurement process, partner with your Finance team to consider your organization’s timeline for budgeting and spend review, and get a clear perspective on payment terms that work well for your business. In addition, work with your Security and Legal teams to understand what to look for in a security review and a legal review, and the timelines and materials needed for each. 

Next, come up with a minimum viable process with defined reviews as part of your approval process. Even if it’s lightweight, this process can help requesters understand where to get started when they want to buy a specific tool or piece of software, who needs to review the request, and any materials needed. You can start with a spreadsheet to track the stages and approvals needed — which can also help keep requesters in the loop to understand where they are in the process. 

At Vanta, we use Zip internally to create and track formal tickets for our procurement process, which grants our requestors visibility into the procurement process and also allows for automations that expedite the review and approval process.

What should I look for in the evaluation process?

Before you begin the evaluation process, it helps to understand the needs of your project and business and to gather a list of requirements. For instance, what’s the problem you’re trying to solve — and what do you actually need for what you’re trying to buy? 

For software, it can also help to understand the experience of peer or partner organizations who also use specific tools, or to draw upon your team’s experience with specific tools. In addition, it’s critical that you understand your overall SaaS toolkit across your business to help ensure there isn’t already another tool that tackles the same requirements.

Next, we suggest running a request for proposals (RFP) if needed with multiple vendors to understand who meets your needs and requirements, and what’s important to you as a company. While pricing always comes into play, it’s important to stack rank and prioritize between things such as your requirements, budget, pricing, and relationship with the vendor.

What should I look for with vendor security reviews?

Every company has a different process for vendor security reviews, and it’s important to work with your security and legal teams to understand their approach. 

At Vanta, we typically review a business’s SOC 2 in depth, as well as recent penetration tests. Our goal is to assess their overall security posture and to understand the nature of security risk posed to Vanta by vendor relationships. 

In principle, we think of security risk as the likelihood of a security incident occurring times the potential impact of such an event. Additionally, you can think of a security incident as the compromise of a vendor system or code implicating its confidentiality, integrity, or availability. We follow a defined vendor security review methodology and also work closely with our Legal team if and when needed.

Who should be involved in the evaluation process?

In addition to your procurement function (no matter how new or established), we suggest involving your Legal, Security, and IT or Corporate Engineering teams for a comprehensive evaluation and review—as well as the requesting business stakeholder.

Remember that things can change throughout your evaluation process, so it’s especially important to stay close to your business stakeholder to ensure that what they’re asking for is clear and aligned with the requirements throughout the procurement process. 

For instance, there may be cases where your requestor may want to move quickly for business reasons—and it’s important to understand what these are and monitor any changes to avoid cases where procured software or tools then sit unused throughout the length of the agreement.

Tips for getting started

Here are some additional tips from our team. We recognize that kick-starting procurement efforts can be both fun and challenging, and hope these points are helpful to keep in mind.

  • Do your research: Before going into conversations, have a clear sense of what your expected price and your budget are. This helps avoid last-minute surprises and can help set expectations for all parties involved. 

  • Ask for what you need: In the evaluation process, don’t be afraid to ask for a proof of concept (POC) to ensure the solution or product is exactly what you need. Not only does a POC offer your team a hands-on experience with the tool, but it can also help make a clear business case by ensuring it meets (or even exceeds) your requirements.

  • Keep track of renewals: Work closely with your Finance team to keep track of renewals—especially with differing lengths of agreements.

Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail
Logo of incident.io
Incident.io
Logo of Lumos
Lumos
Icepanel logo on a white background.
IcePanel
Epsilon Logo
Epsilon3
The logo for supabase.
Supabase
EasyLLama Logo
EasyLlama
Qualifi Logo
Qualifi
Logo of toku
Toku
FEATURED VANTA RESOURCE

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

DOWNLOAD FOR FREE

Table of contents

No titles!

Share this article

Share this article

Related Resources

AWS
Events

Turn security into your startup’s secret sales weapon

In this joint session with AWS, Vanta, and BreachRx, you’ll learn how early-stage teams are turning that pressure into an advantage.

Compliance
Guide / Report

Your guide to eCommerce PCI compliance

Learn the important details for getting your eCommerce PCI compliant.

Product updates
Blog

Announcing Vanta’s industry-first partnership to automate HITRUST e1

Vanta has partnered with HITRUST to be the first automated compliance solution of the HITRUST e1 Assessment, helping you demonstrate your commitment to information protection.

Compliance
Events

Simplify Compliance and Enhance Your Customer’s Trust

Curious about why compliance is so important, which businesses need it, and how Vanta's automation can help you quickly achieve it? Join Vanta’s 45-minute live product demo where you’ll learn how Vanta goes beyond compliance to enhance your overall security and trust management.

Related Resources

Security
Blog
Laying the groundwork: Building security foundations at the partial stage

Learn how partial-stage companies build security foundations to advance toward risk-informed maturity.

Security
Blog
How Synthesia Became One of Europe’s Fastest-growing AI Companies | Frameworks for Growth

Hear from Steffen Tjerrild on what it takes to scale an AI company.

Security
Blog
How to implement CPS 234: A 7-step compliance guide

Learn who needs CPS 234 and how the framework affects your organisation.

Security
Blog
Why measuring your security maturity matters (And how we do it at Vanta)

At Vanta, we’ve developed a practical and structured approach to tracking our own maturity using NIST CSF 2.0.

Vanta’s Cybersecurity Maturity Assessment Template cover image
Security
Guide / Report
Vanta’s Cybersecurity Maturity Assessment Template

Evaluate and improve your security posture with Vanta’s Cybersecurity Maturity Assessment Template—based on the NIST CSF 2.0. Track controls, score maturity levels, and build a scalable, resilient security program.

Amjad Masad interview cover
Security
Blog
Amjad Masad of Replit: 10x’ing in a Year and Building the Future of Code | Frameworks for Growth

Amjad breaks down how Replit handled early competition, carved out space as one of the first AI-native dev platforms, and sustained momentum in a crowded, fast-moving market.

Security
Blog
Bret Taylor of Sierra: How to sell to Enterprise Companies as an AI Startup

In this episode of Frameworks for Growth, Vanta CEO Christina Cacioppo sits down with Bret Taylor, Co-founder and CEO of Sierra, to discuss the evolution of technology, from the early days of cloud at Salesforce, to enterprise-ready AI companies.

Security
Blog
Building the Team at Anthropic: Daniela Amodei on Hiring 10x AI Engineers | Frameworks for Growth

Whether you're a founder, operator, or investor, this episode offers actionable startup advice and insight from one of the most influential voices in tech.

Template: Business Continuity Plan cover image
Security
Guide / Report
Template: Business Continuity Plan

Vanta’s Business Continuity Plan Template is designed to help you build a robust, audit-ready business continuity plan with confidence.

Security
Blog
Garry Tan of YC: Why the next unicorns are built by AI | Frameworks for Growth

Whether you're a founder, operator, or investor, this episode offers actionable startup advice and insight from one of the most influential voices in tech.

Security
Blog
5 must-haves in your first security hire + [Job posting Template]

Not sure what you should be looking for when you’re hiring your first cybersecurity professional? Get started with these criteria.

Template: First-security Hire Job Posting cover image
Security
Guide / Report
Template: First-security Hire Job Posting

Use this template to hire your first security lead with key qualifications, skills, and experience needed to scale your security program.

Get compliant and build trust—fast

Request a demo
G2 Badge 2025 - Best Software | Top 50 Governance, Risk, & Compliance ProductsG2 Badge 2025 - Best Software | Top 50 Security ProductsG2 Badge 2025 - Best Software | Top 100 Best Software Products