
Vanta announces enhanced Risk Management solution
Vanta is thrilled to announce expanded capabilities to our existing Risk Management solution. Thousands of customers already use Vanta’s Risk Management solution to reduce corporate risk, demonstrate compliance during audits, and build strong compliance and security postures.
The expanded capabilities include alignment with the ISO risk assessment framework and pre-built, quick-start content and workflows, including a risk library, suggested mitigating controls, risk prioritization calculations, ownership assignment, automated mitigation tracking, and risk reporting. Let’s take a deeper look.
Understanding risk assessment
A risk assessment is a required exercise as part of most standards and frameworks such as SOC 2, ISO 27001, HIPAA, PCI DSS and more. The process enables an organization to understand and address potential risks to its critical data and ability to conduct its business. Each risk assessment is tailored to the unique risks and context of each organization, but the industry-accepted risk assessment methodology has the common five steps as shown below.
While the process is often called a risk assessment, as the diagram below indicates, the process is more than just assessing risk. The end goal of the process is to manage and reduce risk.

One of the most pragmatic, well-defined, and widely-accepted risk assessment methodology is the ISO 27005 information security risk management guideline. This methodology is an industry “gold standard” and can be applied to meet the requirements of all information security and data privacy standards that require risk assessment. So if done correctly, you only need to do risk assessments following the ISO methodology; no need to repeat for other standards.
Many organizations, especially smaller organizations new to risk assessments, struggle doing risk management for the reasons below and as a result they end up with excessive risk, possible audit issues, increased labor costs, and delayed revenue from not having a timely compliance attestation or certification:
- Manual and complex: A traditional approach to assessing risks can require lots of manual spreadsheets and documents, including emails and phone calls to internal task owners in order to gather evidence and understand their risk environment. For organizations new to the risk assessment process, or for users who are not deep risk and compliance experts, it can be overwhelming to know how and where to start and how to perform all the steps. Most risk assessment products are too complex and granular for a non-expert user.
- Limited and siloed: Some risk management tools are not rigorous enough to cover multiple standards, so organizations are limited in how many standards they can comply with and the tool cannot grow with them. These tools can be rigid and offer limited customization to meet unique needs and requirements. They are often stand-alone tools, with no integration or synergies with other compliance and risk systems and processes, without a hub or view into the full risk and compliance posture.
Vanta’s Risk Management solution
At a high level, Vanta’s enhanced Risk Management solution is a robust, automated offering based on the ISO 27005 risk assessment guidelines and methodology that aligns to the five main stages of a risk assessment. This solution allows users to have a single, robust process to follow in order to meet the risk assessment requirements of all major standards.
Vanta’s automation makes it easy to assess and reduce risk and improve security posture on a proactive, continuous basis; it’s not just a point in time review to check a compliance box. Organizations can enjoy a robust yet simple risk assessment process, faster and successful audits, lowered labor costs, and accelerated revenue from timely compliance attestations or certifications. Vanta’s offering is:
- Automated and simplified: The Risk Management solution is an integrated SaaS solution that removes the need for spreadsheets and back and forth emails with internals and auditors. It includes pre-built content and workflows to guide organizations, even if new to risk assessments, efficiently through the entire process. The Risk Management solution utilizes pre-built risk scenarios and related treatment plans/controls, as well as automated review/approval, task tracking and testing of mitigating controls via integrations to ensure risk treatment plans are implemented. It also contains reports to manage and measure risk at a high-level, especially for executives or auditors.
- Comprehensive and integrated: The Risk Management solution is a single ISO-aligned risk assessment solution that is rigorous, captures best practices, and will be accepted by auditors for most standards and frameworks such as ISO, SOC 2, PCI, HIPAA, and more. It can be heavily customized to incorporate unique threats and treatment plans you have, so it is a truly future-proof solution. It's also integrated into Vanta’s broader compliance platform for one hub and interface addressing compliance, risk management, and security.
Some additional detail on functionality in the solution, aligned to the five main risk assessment steps, is below.
Risk Assessment stage
All stages
- Workflows to smoothly guide the customer through the end-to-end RA process
- Auditor portal for auditors to view progress and results, and interact with customers directly through product to accelerate audits
Identify
- Library of 50+ risks across common categories such as Access Management, HR security and Sensitive Data
- Library of 50+ common risk scenarios (aka Risk Library)
- Assign risk scenario owner for accountability and approval of risk treatment plan
Assess and prioritize
- Automated risk scoring and prioritization
Treatment and controls
- Treatment selector with customized workflows per treatment type (accept, transfer, mitigate, avoid)
- Add tasks, including assigning an owner and due date.
- Add controls, with controls automatically suggested and mapped to the risk scenario and also possibly containing policies
- Automated notifications to task owners of their task
Implement and measure
- Automated notifications to risk scenario owners or task owners if they miss due dates
- Automatically verify control progress for mitigating controls
Report
- Includes color-coded risk matrix and proof of annual assessment and improvements
- Snapshot a risk assessment at a point in time to track progress, share progress with auditors, and show evidence of prior completion
Since a picture is worth a thousand words, let’s take a look at some of the interface:




The enhanced Vanta Risk Management solution is accessible in a few ways:
- For new customers, it is available now in Vanta. Log in to Vanta to try it out!
- For existing customers, to have it enabled, please contact your Customer Success Manager or Account Executive.
- For those not yet a customer but would like to learn more about Vanta and our risk and compliance capabilities, please contact us to learn more and see a custom demo.
Join the risk management webinar
Interested in learing more about Vanta's Risk Management solution? In this live webinar, De-risky business webinar, Matt Cooper shares how to simplify and automate the entire risk assessment process.
More about risk assessments
Coffee & Compliance: Demystifying risk assessment video
Risk assessment 101 guidebook
Differentiator among compliance automation software: Risk assessment register
AUTHORS: Joe Goldberg (Product Marketing), Soleil Kellar (Product Management), Matt Cooper (Privacy, Risk and Compliance)

FEATURED VANTA RESOURCE
The ultimate guide to scaling your compliance program
Learn how to scale, manage, and optimize alongside your business goals.
PCI Compliance Selection Guide
Determine Your PCI Compliance Level
If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.
When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.
Answer a few short questions and we’ll help identify your compliance level.
Does your business offer services to customers who are interested in your level of PCI compliance?
Identify your PCI SAQ or ROC level
The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.
Good news! Vanta supports all of the following compliance levels:
A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.
Get PCI DSS certified
A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.
Learn more about eCommerce PCI
A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.
Use our PCI checklist
A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).
Automate your ROC and AOC
Download this checklist for easy reference
Questions?
Learn more about how Vanta can help. You can also find information on PCI compliance levels at the PCI Security Standards Council website or by contacting your payment processing partner.

The compliance news you need. Delivered securely to your inbox.
Subject to Vanta's Privacy Policy, you agree to allow Vanta to contact you via the email provided for marketing and other purposes