Articles on: Resources

Supplier Management

🏒 Supplier Management

"Manage vendors, contracts, dependencies, and risks in one place."
Track obligations, document ownership, and ensure compliance with regulations like NIS2 and DORA.


Third-party vendors are a frequent source of security and privacy risks. Brainframe GRC provides a centralized Supplier Management feature that not only documents suppliers but also maps their dependencies up to four levels deep, making compliance with regulations like DORA achievable.


πŸ“Œ Brainframe lets you visualize the entire supplier chain β€” including critical dependencies.



1️⃣ Vendor Overview



The Vendor menu centralizes all supplier information. The general workflow:

  1. Create dedicated folders for each vendor.
  2. Store information inside with one main document (Supplier or subcontractor).
  3. Link this document to related records β€” such as Data Processing Agreements, NDAs, Terms & Conditions, risks, or vulnerabilities.




2️⃣ Supplier Hierarchy View



The Hierarchy view enables you to:

  • Visualize the dependency chain of suppliers.
  • Document potential business impact if a supplier is compromised.




3️⃣ Creating a New Supplier



  1. Enter the supplier name or select an existing one.


  1. Store basic information (expand later as needed).


  1. Once saved, it appears in your supplier list and you can add information on how it relates to your operations.




4️⃣ Add Supporting Assets


Supporting assets are resources dependent on the supplier. If disrupted, they can directly impact operations.



  • Click the [+] next to the supplier’s name. This opens a window where you can link an existing document, or pick a document of a certain type to create.


  • Choose the document type, fill in details, and link it to the supplier.




5️⃣ Add Existing Assets as Vendors


If a vendor document exists but isn’t yet linked:



  • Click the three dots on the document.
  • Select Add to β†’ Add as vendor.



6️⃣ Supplier List View


The List view provides a spreadsheet-style overview of all suppliers:


[](https://storage.crisp.chat/users/helpdesk/website/-/3/f/2/6/3f26ce462760bc00/supplier-list_12kmnnc.png =958xauto)



Key features include:

  1. Create new vendors.
  2. Search and filter vendors.
  3. Loada additional risk information like properties and last readings, and add a color to the different risks.
  4. Configure the columns that are shown and export to Excel.
  5. List of vendor documents (click to open).
  6. Track and select checklist stage (Kanban).
  7. View RACI ownership.
  8. View linked tasks.
  9. See related supporting assets, generated automatically from the assets you linked to the supplier.
  10. View linked documents.
  11. Free text field that allows you to define business requirements (e.g. RTO, RPO).
  12. Review vendor-related risks.


πŸ“Œ Editing vendors works like editing assets.



7️⃣ Supplier Management in Processes



From the List view, track supplier lifecycle stages with the Workbench Kanban



8️⃣ Documenting Ownership (RACI Model)


Define responsibilities clearly with the RACI model:

  • Responsible (R): Executes the work.
  • Accountable (A): Ultimately owns the outcome.
  • Consulted (C): Provides expertise.
  • Informed (I): Stays updated.





Vendors can have linked tasks, visible in both the supplier record and the Tasks module.



πŸ”Ÿ Supporting Assets



Document all assets dependent on a supplier to build a clear dependency chain.



1️⃣1️⃣ Document Management


Maintain supplier-related documentation:



  • Audit reports
  • NDAs
  • Terms & conditions
  • Due diligence evidence


πŸ“Œ Vendor-specific documents are stored in dedicated folders but also visible in the central list view.



1️⃣2️⃣ Business Requirements


Capture operational requirements for each supplier. Example (ISO 27001):


  • πŸ”’ Confidentiality – Prevent unauthorized access.
  • πŸ“Š Integrity – Ensure data/process accuracy.
  • 🌐 Availability – Define uptime requirements.
  • πŸ“œ Proof – Document evidence needed by auditors/regulators.
  • ⏱ RTO – Max downtime allowed.
  • πŸ’Ύ RPO – Max acceptable data loss.
  • βš– Regulatory – Requirements based on data type or geography.


1️⃣3️⃣ Best Practices


  • πŸ—‚ Dedicate folders for each supplier to keep records organized.
  • πŸ”— Always link documents (DPAs, NDAs, risks) to the supplier file.
  • 🌳 Use hierarchy view to identify critical dependencies across tiers.
  • πŸ“ Define RACI ownership early to avoid confusion in audits.



🎯 Visual Checklist


  • [x] Supplier created with dedicated folder
  • [x] Vendor linked to contracts and risks
  • [ ] Supporting assets documented and connected
  • [ ] Supplier lifecycle stage tracked in Workbench
  • [ ] Business requirements (RTO/RPO) defined


Updated on: 05/09/2025

Was this article helpful?

Share your feedback

Cancel

Thank you!