Product updates
Vanta announces enhanced Risk Management solution
BlogsProduct updates
October 10, 2022

Vanta announces enhanced Risk Management solution

Vanta is thrilled to announce expanded capabilities to our existing Risk Management solution. Thousands of customers already use Vanta’s Risk Management solution to reduce corporate risk, demonstrate compliance during audits, and build strong compliance and security postures.

The expanded capabilities include alignment with the ISO risk assessment framework and pre-built, quick-start content and workflows, including a risk library, suggested mitigating controls, risk prioritization calculations, ownership assignment, automated mitigation tracking, and risk reporting. Let’s take a deeper look.

Understanding risk assessment

A risk assessment is a required exercise as part of most standards and frameworks such as SOC 2, ISO 27001, HIPAA, PCI DSS and more. The process enables an organization to understand and address potential risks to its critical data and ability to conduct its business. Each risk assessment is tailored to the unique risks and context of each organization, but the industry-accepted risk assessment methodology has the common five steps as shown below.

While the process is often called a risk assessment, as the diagram below indicates, the process is more than just assessing risk. The end goal of the process is to manage and reduce risk.

Assessing risk cycle

One of the most pragmatic, well-defined, and widely-accepted risk assessment methodology is the ISO 27005 information security risk management guideline. This methodology is an industry “gold standard” and can be applied to meet the requirements of all information security and data privacy standards that require risk assessment. So if done correctly, you only need to do risk assessments following the ISO methodology; no need to repeat for other standards.

Many organizations, especially smaller organizations new to risk assessments, struggle doing risk management for the reasons below and as a result they end up with excessive risk, possible audit issues, increased labor costs, and delayed revenue from not having a timely compliance attestation or certification:

  • Manual and complex: A traditional approach to assessing risks can require lots of manual spreadsheets and documents, including emails and phone calls to internal task owners in order to gather evidence and understand their risk environment. For organizations new to the risk assessment process, or for users who are not deep risk and compliance experts, it can be overwhelming to know how and where to start and how to perform all the steps. Most risk assessment products are too complex and granular for a non-expert user.

  • Limited and siloed: Some risk management tools are not rigorous enough to cover multiple standards, so organizations are limited in how many standards they can comply with and the tool cannot grow with them. These tools can be rigid and offer limited customization to meet unique needs and requirements. They are often stand-alone tools, with no integration or synergies with other compliance and risk systems and processes, without a hub or view into the full risk and compliance posture.

Vanta’s Risk Management solution

At a high level, Vanta’s enhanced Risk Management solution is a robust, automated offering based on the ISO 27005 risk assessment guidelines and methodology that aligns to the five main stages of a risk assessment. This solution allows users to have a single, robust process to follow in order to meet the risk assessment requirements of all major standards.

Vanta’s automation makes it easy to assess and reduce risk and improve security posture on a proactive, continuous basis; it’s not just a point in time review to check a compliance box. Organizations can enjoy a robust yet simple risk assessment process, faster and successful audits, lowered labor costs, and accelerated revenue from timely compliance attestations or certifications. Vanta’s offering is:

  • Automated and simplified: The Risk Management solution is an integrated SaaS solution that removes the need for spreadsheets and back and forth emails with internals and auditors. It includes pre-built content and workflows to guide organizations, even if new to risk assessments, efficiently through the entire process. The Risk Management solution utilizes pre-built risk scenarios and related treatment plans/controls, as well as automated review/approval, task tracking and testing of mitigating controls via integrations to ensure risk treatment plans are implemented. It also contains reports to manage and measure risk at a high-level, especially for executives or auditors.

  • Comprehensive and integrated: The Risk Management solution is a single ISO-aligned risk assessment solution that is rigorous, captures best practices, and will be accepted by auditors for most standards and frameworks such as ISO, SOC 2, PCI, HIPAA, and more. It can be heavily customized to incorporate unique threats and treatment plans you have, so it is a truly future-proof solution. It's also integrated into Vanta’s broader compliance platform for one hub and interface addressing compliance, risk management, and security.

Some additional detail on functionality in the solution, aligned to the five main risk assessment steps, is below.

Risk Assessment stage

All stages

  • Workflows to smoothly guide the customer through the end-to-end RA process
  • Auditor portal for auditors to view progress and results, and interact with customers directly through product to accelerate audits


  • Library of 50+ risks across common categories such as Access Management, HR security and Sensitive Data
  • Library of 50+ common risk scenarios (aka Risk Library)
  • Assign risk scenario owner for accountability and approval of risk treatment plan

Assess and prioritize

  • Automated risk scoring and prioritization

Treatment and controls

  • Treatment selector with customized workflows per treatment type (accept, transfer, mitigate, avoid)
  • Add tasks, including assigning an owner and due date.
  • Add controls, with controls automatically suggested and mapped to the risk scenario and also possibly containing policies
  • Automated notifications to task owners of their task

Implement and measure

  • Automated notifications to risk scenario owners or task owners if they miss due dates
  • Automatically verify control progress for mitigating controls


  • Includes color-coded risk matrix and proof of annual assessment and improvements
  • Snapshot a risk assessment at a point in time to track progress, share progress with auditors, and show evidence of prior completion

Since a picture is worth a thousand words, let’s take a look at some of the interface:

Image 1: Choose from common risk categories or add your own.

Choose from common risk scenarios and score them.
Image 2: Choose from common risk scenarios and score them.

For each risk scenario, assign owners, a treatment plan, tasks, and owners. Vanta will automate most of the treatment and task assignment and management.
Image 3: For each risk scenario, assign owners, a treatment plan, tasks, and owners. Vanta will automate most of the treatment and task assignment and management.

 Color-coded risk matrix and reporting to view risk management and progress at a high-level.
Image 4 (in Beta): Color-coded risk matrix and reporting to view risk management and progress at a high-level.

The enhanced Vanta Risk Management solution is accessible in a few ways:

  • For new customers, it is available now in Vanta. Log in to Vanta to try it out!
  • For existing customers, to have it enabled, please contact your Customer Success Manager or Account Executive.
  • For those not yet a customer but would like to learn more about Vanta and our risk and compliance capabilities, please contact us to learn more and see a custom demo.

Join the risk management webinar

Interested in learing more about Vanta's Risk Management solution? In this live webinar, De-risky business webinar, Matt Cooper shares how to simplify and automate the entire risk assessment process.

More about risk assessments

Coffee & Compliance: Demystifying risk assessment video

Risk assessment 101 guidebook

Differentiator among compliance automation software: Risk assessment register

AUTHORS: Joe Goldberg (Product Marketing), Soleil Kellar (Product Management), Matt Cooper (Privacy, Risk and Compliance)

Written by
No items found.
Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

PCI Compliance Selection Guide

Determine Your PCI Compliance Level

If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.

When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.

Answer a few short questions and we’ll help identify your compliance level.


Does your business offer services to customers who are interested in your level of PCI compliance?


Identify your PCI SAQ or ROC level

The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.

Good news! Vanta supports all of the following compliance levels:


A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.

Get PCI DSS certified


A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.

Learn more about eCommerce PCI

for service providers

A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.

Use our PCI checklist

Level 1 for service providers

A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).

Automate your ROC and AOC

Download this checklist for easy reference


Learn more about how Vanta can help. You can also find information on PCI compliance levels at the PCI Security Standards Council website or by contacting your payment processing partner.

The compliance news you need. Delivered securely to your inbox.

Subject to Vanta's Privacy Policy, you agree to allow Vanta to contact you via the email provided for marketing and other purposes