IT and procurement teams manage the largest number of vendor relationships in any organisation. When those relationships are undocumented, the security findings sit in IT and the contract details sit in procurement, and neither team can act on what the other knows. Supplier Shield gives both teams a shared, structured view of every vendor relationship.
Trusted by global organisations
§ The challenge
When vendor assessments run on email and spreadsheets, the output is inconsistent, the evidence is lost, and the team is always reacting, never ahead.
Questionnaires go out by email. Responses trickle back over weeks. Answers are pasted into spreadsheets with no scoring logic. The next cycle starts from scratch. There is no institutional knowledge, no version history, and no way to compare one vendor's posture against another.
IT completes a security assessment and files the findings in a shared drive. Three months later, procurement renews the same vendor's contract without knowing there are unresolved findings. The risk exists in the system, but it never reaches the decision that would have changed the outcome.
After an assessment surfaces a finding, an email is sent. Maybe a ticket is raised. Follow-through depends entirely on individual initiative. When an auditor later asks "what did you do about the finding on vendor X?", the answer is a search through old emails, not a system of record.
§ How we help
Structured intake, automated assessment cycles, shared risk visibility, and a complete, versioned evidence trail, without months of implementation or professional services.
Send framework-aligned questionnaires and collect evidence without manual follow-up.
Define your vendor tiers, select from 50+ pre-built framework templates (ISO 27001, SOC 2, NIST CSF, NIS2, DORA, PCI-DSS, CIS Controls, and more) or build your own, then trigger automated outreach. Responses are scored, gaps are surfaced, and your team sees a prioritised risk queue, not an inbox full of PDFs.
Security findings and contract status visible from the same supplier record.
IT sees security risk scores and open findings. Procurement sees contract review dates and commercial flags. Both teams work from the same record. When a new contract is proposed, procurement checks the live risk posture before signing, without waiting for an IT briefing.
Every finding, every action, every deadline: versioned, timestamped, and exportable.
Assign findings to named owners. Set resolution deadlines. Track progress in the platform. Every status change is logged with a timestamp and the user who made it. When a regulator, internal auditor, or ISO certification body asks for evidence of your remediation programme, you export the full log in one click.
§ Why us
Email questionnaires get ignored because vendors do not want to create another account. Supplier Shield removes the barrier: vendors receive a secure, time-limited link and complete the assessment in their browser. Automated reminders follow up on your behalf. No chasing required from your team.
IT does not need another tool that requires months of professional services. Import your vendor list, select your assessment framework, configure tiering, and send your first questionnaire, all in the same session. Most teams complete their initial register and first assessment cycle within two to four weeks.
Acuna GRC platform pricing is by vendor count tier, not by seat. Every team member in IT, procurement, risk, and compliance is covered at no extra cost. Supplier Shield TPRM is an add-on module on top of the platform. Published tiers on the pricing page. No sales cycle needed to get a number.
§ Regulatory obligations
Supplier Shield ships with pre-built templates for all of these. Use them as-is, modify them, or combine them for multi-framework assessment cycles.
ISO 27001:2022 clauses 5.19–5.22 require documented policies and procedures for managing information security risk in supplier relationships. Supplier Shield structures the assessment, evidence collection, and ongoing monitoring required by each clause.
If your organisation is in scope for NIS2, you must assess and manage security risks across your ICT supply chain on an ongoing basis, not just at contract signing. Supplier Shield covers both the initial onboarding assessment and the recurring monitoring required by Art. 21.
For IT teams at financial entities, DORA Articles 28–44 set specific requirements for ICT vendor contracts, criticality assessment, and concentration risk monitoring. Supplier Shield covers all three.
SOC 2 Type II and ISAE 3402 auditors review your third-party due diligence programme. Supplier Shield provides the structured evidence trail: questionnaires sent, responses received, findings remediated.
§ Acuna GRC
Supplier Shield is the TPRM module inside Acuna GRC. When IT and procurement assessments surface issues, they connect directly to the broader risk register, internal audit workflows, and data protection programme, all on one Swiss-hosted platform.
§ Platform capabilities
Supplier Shield is the TPRM module inside Acuna GRC. Here is what the full platform means in practice for IT and procurement teams replacing spreadsheet-driven vendor governance.
Instead of manually researching each vendor's security posture before an assessment, Acuna automatically scans every supplier for breach exposure, DNS hygiene, TLS configuration, and web security. You start each assessment knowing the vendor's external-facing risk grade, so procurement decisions are informed before the questionnaire even goes out.
Launch a full vendor assessment cycle in one session: choose your template (ISO 27001, NIS2, DORA, custom), select your supplier group, personalise the outreach, and hit send. Completion is tracked per vendor in a single dashboard. Automated reminders go out on your behalf. No spreadsheet of "sent / replied / overdue" to maintain.
IT teams consistently fall behind on periodic vendor reviews because there is no system to trigger them. In Acuna, you configure recurring assessment cycles: annual for standard vendors, quarterly for critical suppliers. The platform schedules, notifies, and tracks completion automatically.
Ask Aiko: "Which vendors are overdue for reassessment?" or "Which of our cloud suppliers have a security grade below B and access to production data?" Answers from your live vendor register in seconds. Vendor risk reporting that used to take hours becomes a 30-second query.
The platform ships with 50+ pre-built assessment templates covering every major GRC framework. When a vendor assessment satisfies ISO 27001:2022 clauses 5.19-5.22, it simultaneously generates evidence for NIS2 and DORA supplier obligations, if those apply. One vendor questionnaire, multiple compliance outcomes. No separate assessment streams per framework, no duplicated effort.
Full platform overview: Acuna GRC cloud platform
§ FAQ
Most teams complete their initial vendor register and first assessment cycle within two to four weeks. The timeline depends on your vendor list size and how much tiering configuration you need. There is no custom development and no infrastructure project: you import your vendor list, configure tiering, and start sending assessments in the same session.
Yes. The platform ships with 50+ pre-built templates covering ISO 27001, SOC 2, NIS2, DORA, NIST CSF, PCI-DSS, GDPR, CIS Controls, and more. You can use any template as-is, modify it, or build entirely custom questionnaires. All templates are stored in the platform, versioned per edit, and reusable across your full vendor roster.
Questionnaire responses are scored against configurable criteria. Each question can carry a weight based on risk impact. The platform produces a residual risk score per vendor, a comparison view across your portfolio, and a prioritised remediation queue for your team.
No. Vendors receive a secure, time-limited link to complete their assessment in a browser. No account creation, no software installation required on their side. Removing the login barrier is the single biggest driver of faster response rates.
Supplier Shield connects to your existing environment via REST API and supports webhook-based event triggers. This means you can push vendor records from your procurement system, trigger assessments from onboarding workflows, and pull risk scores into your GRC or ticketing tool. For teams running ServiceNow, Jira, or similar, our implementation team handles the connection mapping.
Spreadsheets have no scoring logic, no automated follow-up, no version history, no audit trail, and no shared access across teams. Supplier Shield replaces all of that with structured assessments, a versioned evidence store, and one-click audit reporting. The workflow is the same: you define the vendor, select the framework, and collect responses. The difference is that nothing falls through the cracks.
Book a session with our team. We will walk through your current vendor landscape and show you exactly where Supplier Shield adds structure without a lengthy implementation.