Back to docs

Recipe: Vendor review writer

Automate structured vendor security reviews with Meridian's evidence-first workflow.

Overview

This recipe walks through building a repeatable vendor review pipeline. Meridian collects artifacts — SOC 2 reports, pentest summaries, data-flow diagrams — and maps them against your control framework before generating a scored review document.

Ingredients

  • Vendor intake form (Meridian template)
  • Control framework mapping (SOC 2, ISO 27001, or custom)
  • Evidence collection ruleset
  • Review output template

Steps

  1. Create intake. Deploy the vendor questionnaire from the Meridian template library. Customize fields for data classification and access scope.
  2. Map controls. Link each questionnaire section to your control framework. Meridian auto-suggests mappings for common standards.
  3. Collect evidence. Attach SOC 2 Type II reports, penetration test summaries, and architecture diagrams. Meridian validates file integrity on upload.
  4. Score & review. Run the scoring engine. Flag gaps automatically and assign remediation owners.
  5. Generate report. Export a branded PDF with executive summary, control-by-control scores, and evidence references.

Output

A single PDF containing the vendor risk score, control gap analysis, and a complete evidence appendix. Ready for auditor review or board presentation.

Pro tip: Schedule recurring reviews via Meridian triggers. Vendors with access to sensitive data should be re-reviewed quarterly.