Your GRC Tool Tracks Your Vendors. It Can't Tell You If the Assessments Are Actually Right.

A stressed man in a gray suit sits at a desk, holding his head with both hands, appearing overwhelmed while working on his laptop in an office.

We review what your GRC tool produced — catching misclassified vendors, inaccurate AI-generated assessments, and certificate gaps your auditor will find if you don't.

See how it works ↓
See Pricing ↓

The Problem: You Have a Vendor List. You Don't Have a Defensible Vendor Risk Program.

Your GRC tool — Vanta, Drata, or similar — gives you a vendor register and a set of due dates. It auto-populates risk assessments, suggests classifications, and tells you when reviews are overdue.

What it does not do is think.

Your GRC tool doesn't tell you whether a vendor classified as low-risk actually warrants that classification. It doesn't flag when an AI-generated control answer doesn't match the SOC 2 report it was drawn from. It doesn't check whether an ISO 27001 certificate covers the systems your organization actually relies on — or whether the controls that matter to you were quietly excluded from scope.

Your auditor will check all of these things. The question is whether you find the gaps first.

Three things your GRC tool misses:

Inaccurate AI-generated assessments
GRC platforms are beginning to auto-populate vendor risk answers by reading SOC 2 reports. The feature is useful in theory. In practice, the outputs can be incomplete, misattributed, or simply wrong, and most teams accept them without scrutiny.

Complementary user entity controls nobody is checking
SOC 2 reports don't just describe what your vendor controls. They specify the controls your organization must have in place for the vendor's controls to be effective. These are your responsibility, but they're routinely overlooked.

ISO 27001 certificates taken at face value
A certificate tells you that a vendor passed an audit. It doesn't tell you what was in scope, what controls were excluded, or whether any of that is relevant to how your organization uses them. The Statement of Applicability does, but almost nobody reads it.

The Solution: A Review You Can Show Your Auditor. Built on What's Actually in the Reports.

We work from your existing GRC tool vendor list.

We review the source material, SOC 2 reports, complementary user entity controls, ISO 27001 certificates, and Statements of Applicability, and produce a corrected, documented vendor risk register with defensible tiering rationale and a review cadence that makes sense for each vendor's actual risk level.

No guesswork. No generic templates. No annual review for everything or other default settings.

We don’t have the bandwidth to do this. Can you make this a priority to make sure we are ready for the audit?
— SaaS Company CTO
Drawing of a man wearing a blue button-up shirt with short dark hair, sitting at a desk against a plain background.

What the review covers:

Vendor risk tiering validation
We review your existing classifications against documented criteria — and correct them where the rationale doesn't hold up under audit scrutiny.

SOC 2 report review
We read the actual reports, not the tool's summary of them. We flag inaccurate or hallucinated control assessments and identify complementary user entity controls your team needs to implement.

ISO 27001 scope and SoA review
For vendors presenting an ISO 27001 certificate, we go beyond the certificate. We review what's in scope, what controls are excluded, and whether any exclusions are material to your use of that vendor.

Corrected vendor risk register
The output is a structured, audit-ready document — tiering rationale, review cadence per vendor, and flagged gaps* — ready to present to your auditor or compliance team.

(*) Note: All assessments are point-in-time reviews based on available documentation. Risk acceptance remains with your organization.

IS THIS RIGHT FOR YOU?

This service is for companies that:

  • Hold ISO 27001 or SOC 2 certification and are approaching a surveillance audit or renewal

  • Use a supported GRC tool to manage their vendor program (Vanta, Drata, or similar — contact us to confirm compatibility)

  • Have an internal team that manages vendor reviews but lacks the expertise to validate what the tool produces

  • Need a defensible, documented vendor risk register — not just a completed checklist

Not a fit if:

  • You don't yet have a GRC tool in place (start with our vCISO Partner engagement)

  • You're pre-certification (you need our Compliance Lead first)

  • You need someone to run your vendor program operationally on an ongoing basis (that's vCISO Partner territory)

Pricing

Full Assessment:
From €4,500

Includes:

  • Review of up to 12 vendors* from your GRC tool vendor list

  • SOC 2 report review per vendor — including complementary user entity control identification

  • ISO 27001 scope and Statement of Applicability review where applicable

  • Corrected vendor risk register with tiering rationale and cadence recommendations — audit-ready

  • Single point of contact throughout, with direct access to your reviewing consultant

  • Delivered within an agreed timeframe ahead of your audit window.

(*) Additional vendors: €350 per vendor.

Your audit window won't wait. Neither should your vendor reviews.

Schedule 30-Minute Discovery Call