Cybersecurity & GRC Consulting

Strengthening Cybersecurity.
Enabling Compliance.
Building Trust.

Secure91 provides practical cybersecurity and compliance solutions to help organizations identify risks, strengthen security controls, and prepare for industry-recognized frameworks.
Your security is our priority.

Want a live platform walkthrough? A Secure91 consultant will demo VendorGuard and answer your questions — free, no obligation.

Already have an account?

Jump straight into the platform — dashboard, discovery, threat feed & AI copilot.

Risk Score

ISO 27001

Certified Methodology

Compliance Frameworks

60s

Vendor Risk Scan

Core Service Areas

24/7

Threat Monitoring

What We Do

Three Areas. Maximum Impact.

We focus where organisations face the greatest exposure — and where expert guidance delivers measurable, lasting results.

🔍

Cybersecurity Assessments

Know exactly where you stand. A clear report and roadmap — yours to act on.

You can't protect what you haven't measured. We give your organisation an independent, evidence-based picture of your current security posture — identifying gaps, rating risks by severity, and delivering a structured report and roadmap. Remediation is carried out by your team.

⚡ Network architecture and access controls

⚡ Identity and privilege management

⚡ Cloud and hybrid environment security

⚡ Incident detection and response capabilities

⚡ Severity-rated findings report + remediation roadmap

⚡ Executive summary for board or leadership

Assessment and advisory only. Implementation is carried out by your team.

📋

Compliance Readiness

Understand exactly where you stand against the frameworks that matter.

We independently assess your posture against ISO 27001, SOC 2, POPIA, or GDPR — identifying every gap, rating it by severity, and delivering a prioritised recommendations report. We advise on what needs to be done and in what order. Your team carries out the work.

ISO 27001

SOC 2

POPIA

⚡ Control-by-control gap analysis vs your framework

⚡ Every gap rated Critical / High / Medium / Low

⚡ Prioritised recommendations report

⚡ Executive summary for board or leadership

⚡ Debrief session with your team

Assessment and advisory only. Policy drafting, control implementation, and evidence building are your responsibility.

🔗

Third-Party Risk Management

Your vendors are part of your attack surface. Manage them like it.

VendorGuard is our AI-powered vendor risk intelligence platform. It scans any supplier in seconds — pulling real CVE data, SSL certificate history, and internet exposure signals — and produces an ISO 27001-aligned risk report your auditor will accept.

⚡ AI risk score with 6-domain breakdown

⚡ Live CVE data from NVD NIST

⚡ ISO 27001 Annex A.15 evidence table

⚡ Remediation roadmap per vendor

⚡ Full vendor register with lifecycle tracking

Vendor Risk Intelligence Platform

Introducing VendorGuard

The only vendor risk platform built specifically for GRC teams who need audit-ready reports without the six-week questionnaire process.

🌐

Real Intelligence. Not Estimates.

Every scan queries live public security databases in parallel — NVD NIST for CVEs, crt.sh for SSL certificate history, and Shodan InternetDB for internet exposure. AI analysis sits on top of real signals, not assumptions.

📊

Audit-Ready Reports in 60 Seconds

Each report includes an overall risk score, six-domain breakdown, critical findings with severity, a step-by-step remediation roadmap, and a fully mapped ISO 27001 Annex A.15 evidence table — ready for your next audit.

🔌

Connects to Your Existing Systems

VendorGuard integrates with SAP, Salesforce, ServiceNow, Jira, Google Sheets and 8 other platforms — automatically importing your vendor register and keeping it current.

🤖

AI Copilot for Your Portfolio

Ask plain-English questions about your entire vendor portfolio. "Which vendors are highest risk?" "Which ones lack ISO 27001 certification?" Get answers instantly, without pulling a report.

Free to start

See VendorGuard in action

Scan any vendor in 60 seconds. No account required for your first report.

Pricing

Starter — Free · 3 scans/month

Pay As You Go — R399/scan

Business — R2,500/month

Enterprise — Custom pricing

How VendorGuard Works

From Vendor Import to Audit-Ready Report in Minutes

A complete third-party risk management workflow — built for GRC teams, CISOs, and procurement professionals who need answers fast.

🔗

Connect Your Systems

Link VendorGuard to your existing platforms — SAP, Salesforce, ServiceNow, Jira, Google Sheets or any REST API. Your vendor list imports automatically on every sync.

Integrations module

📋

Build Your Vendor Register

All your vendors — existing suppliers, new candidates, and imported records — centralised in one live register with lifecycle stages and risk scores.

Vendor Register module

🔍

Run AI Risk Assessments

Choose New Vendor for pre-contract due diligence or Existing Vendor for periodic review. Complete a structured 13-question assessment — the AI handles the analysis.

New Scan — single or batch

🌐

Real Data from Live Sources

Every scan queries NVD NIST for CVEs, crt.sh for SSL certificate history, and Shodan for internet exposure. AI analysis on top of real signals — not guesswork.

NVD · crt.sh · Shodan InternetDB

📊

Get Actionable Risk Reports

Overall risk score, 6-domain breakdown, critical findings with severity, a step-by-step remediation roadmap, and ISO 27001 Annex A.15 evidence table — audit ready.

Full report · PDF export

📡

Monitor Continuously

The Threat Intelligence feed monitors breach databases, CVE disclosures, and security news for all your vendors. The AI Copilot answers portfolio questions in plain English.

Threat Feed · AI Copilot

Connect Platforms

→

Import Vendors

→

Run Assessments

→

Get Reports

→

Monitor Ongoing

Simple Pricing

Transparent Plans for Every Organisation

Start free and scale as you grow. Transparent pricing, no hidden fees, no long-term contracts. Currency is set automatically when you sign up.

Starter

Free forever · no card required

3 vendor scans per month
Basic risk score (0–100)
High / Medium / Low rating
NVD CVE database check
No detailed findings breakdown
No remediation roadmap
No PDF report export

Perfect for small teams exploring vendor risk

Pay As You Go

R399/scan

No subscription · pay per scan

Full AI risk report
6-domain risk breakdown
Critical findings + severity
Remediation roadmap
Contract clause recommendations
ISO 27001 Annex A.15 evidence
PDF export

Ideal for once-off due diligence before signing

Tell Us About Your Vendor

Vendor

Context

Scanning

Results

Step 01 — Vendor Details

Which vendor would you like to assess?

Enter the company name or domain — e.g. salesforce.com for better real-data results

Step 02 — Assessment Purpose

What is this assessment for?

Choose one — the report will be tailored to your situation. Selecting will continue automatically.

🆕

Pre-Onboarding

New Vendor

You're evaluating this vendor before signing a contract.

✓ Due diligence before onboarding

✓ Go / no-go risk verdict

✓ Contract clause recommendations

✓ ISO 27001 Annex A.15 evidence

🔄

Periodic Review

Existing Vendor

This vendor is already in your supply chain.

✓ Annual compliance re-assessment

✓ Post-incident re-evaluation

✓ Contract renewal review

✓ POPIA & ISO 27001 audit evidence

Section 01 — Vendor Profile · Question 1 of 2

What category best describes this vendor? (Select all that apply)

☁️ SaaS / Software platformSaaS / Cloud SoftwareSoftware accessed via the internet, like Salesforce or Slack. Usually stores your data on the vendor's servers — you have limited visibility into their infrastructure.

🖥️ Cloud infrastructure / HostingCloud InfrastructureProvides servers, storage, and networking. Examples: AWS, Azure, Google Cloud. Often handles large volumes of data with significant access privileges.

💰 Payroll / HR servicesPayroll & HRProcesses employee salaries, tax submissions, and HR records. Holds highly sensitive personal and financial data requiring strong protections.

💳 Payment processing / FintechPayment ProcessingHandles credit card and bank transaction data. Subject to PCI DSS — one of the strictest security standards globally.

🔧 IT services / Managed servicesIT / Managed ServicesProvides IT support or managed security services, often with deep network and system access. Requires careful access control.

🤝 Consulting / Professional servicesConsulting / AdvisoryProvides expert advice and may access confidential business strategies, financial data, or sensitive documents. NDA is essential.

📦 Logistics / Supply chainLogistics / Supply ChainManages deliveries or warehousing. Often holds customer names, addresses, and order data.

📢 Marketing / CRM / AnalyticsMarketing / CRMManages customer data for campaigns and analytics, often integrated directly with your customer database.

Section 01 — Vendor Profile · Question 2 of 2

Where is the vendor headquartered / where is your data processed? (Select all that apply)

🇿🇦 South AfricaSouth AfricaData processed in SA falls under POPIA. Local vendors are subject to SA cybersecurity laws and Information Regulator oversight.

🌍 Africa (other)Africa (Other)Several African countries have new data protection laws (e.g. Nigeria NDPA, Kenya PDPA). Requirements vary — verify country-specific obligations.

🇪🇺 European Union / EEAEuropean Union / EEAEU processing triggers GDPR. Transferring data to the EU requires adequacy decisions or Standard Contractual Clauses (SCCs).

🇬🇧 United KingdomUnited KingdomPost-Brexit, the UK has its own UK GDPR — similar to EU GDPR but a separate legal framework. Requires its own transfer mechanisms.

🇺🇸 United StatesUnited StatesNo single federal privacy law, but state laws apply (e.g. CCPA in California). Data transfers from SA/EU require legal safeguards.

🌏 Asia PacificAsia PacificVaried privacy regimes across the region — PDPA in Singapore and Thailand, APPs in Australia. Always verify country-specific requirements.

❓ Unknown / Not confirmedLocation UnknownNot knowing where data is processed is itself a compliance risk. POPIA and GDPR require you to know and document data flows.

Section 02 — Data Access · Question 1 of 2

What types of data does this vendor access, process, or store? (Select all that apply)

👤 Personal identifiable information (names, emails, IDs)Personal Information (PII)Names, email addresses, ID numbers, and contact details. Regulated under POPIA and GDPR — requires lawful basis for processing.

💳 Financial or payment card dataFinancial / Payment DataBank accounts, credit card numbers, salary data. Heavily regulated under PCI DSS, POPIA, and financial services laws.

🏥 Health or medical dataHealth / Medical DataSpecial category / sensitive data under POPIA Section 26 and GDPR Article 9. Requires explicit consent and extra safeguards.

👥 Employee or HR dataEmployee / HR DataPayroll records, performance reviews, disciplinary records. Subject to labour law and privacy regulations.

🔑 Credentials or authentication dataCredentials / Auth DataUsernames, passwords, API keys, and tokens. Exposure can lead to full system compromise — highest sensitivity.

💡 Intellectual property / source codeIntellectual PropertySource code, patents, trade secrets, or proprietary processes. Compromise can cause lasting competitive damage.

🔒 Confidential business dataConfidential Business DataBusiness strategies, contracts, M&A plans, or financial projections. Should always be protected by a signed NDA.

🚫 No sensitive data accessNo Sensitive DataIf the vendor has no sensitive data access, privacy risk is lower — but operational and security risk may still apply.

Section 02 — Data Access · Question 2 of 2

Approximately how many data subjects' records does this vendor have access to?

👤 Fewer than 100 recordsUnder 100 RecordsLowest exposure. Still requires appropriate safeguards, but regulatory notification obligations are less likely to be triggered.

👥 100 – 10,000 records100 – 10,000 RecordsAt this scale a breach could meaningfully affect individuals. Notification obligations under POPIA/GDPR may apply.

🏢 10,000 – 1 million records10,000 – 1 Million RecordsLarge-scale breaches at this level require mandatory regulatory notification and can result in significant fines.

🌐 More than 1 million recordsOver 1 Million RecordsHighest regulatory scrutiny. A breach here would trigger immediate notification obligations and likely regulatory investigation.

❓ UnknownVolume UnknownNot knowing the data volume is a gap. Request this from the vendor — it affects your POPIA/GDPR notification obligations.

Section 03 — Security Controls · Question 1 of 3

Which security certifications or standards does the vendor claim to hold? (Select all that apply)

📋 ISO 27001 — Information Security ManagementISO 27001The global gold standard for information security management. Requires annual audits by an accredited body. Ask for the certificate and verify it.

🔐 SOC 2 Type I or Type IISOC 2A US-origin audit against Trust Services Criteria (Security, Availability, Confidentiality, Privacy). Type II covers a 6–12 month period.

⭐ CSA STAR — Cloud SecurityCSA STAR – Cloud SecurityCloud Security Alliance certification covering cloud-specific risks. Important for SaaS and cloud infrastructure vendors.

💳 PCI DSS — Payment Card IndustryPCI DSSMandatory for vendors touching payment card data. Has 12 core requirements and is enforced by card networks — non-compliance can result in fines.

✅ ISO 9001 — Quality ManagementISO 9001 – QualityQuality management standard — not security-specific, but indicates process maturity and a culture of continuous improvement.

❌ None that I am aware ofNo CertificationsA significant risk indicator. Without certifications, request a completed security questionnaire or recent third-party audit report.

❓ Unknown — not confirmedCertification UnknownYou should always verify this before onboarding. Ask the vendor directly and validate with the issuing certification body.

Section 03 — Security Controls · Question 2 of 3

What security controls has the vendor confirmed or evidenced? (Select all that apply)

🔐 Multi-factor authentication (MFA)Multi-Factor AuthenticationRequires a second verification step beyond a password. Prevents unauthorised access even if credentials are stolen.

🔒 Data encryption at rest and in transitEncryptionEncryption at rest protects stored data files; in transit protects data moving between systems (e.g. TLS 1.2+). Both are required.

🎯 Annual penetration testingPenetration TestingSimulated cyberattacks by ethical hackers to identify vulnerabilities. Annual testing is considered minimum good practice.

🛡️ Vulnerability management programmeVulnerability ManagementA formal programme to discover, prioritise, and patch known security weaknesses in software and systems.

🚨 Incident response planIncident Response PlanA documented procedure for handling security breaches. Required for POPIA breach notification within 72 hours.

🎓 Security awareness training for staffSecurity Awareness TrainingRegular training dramatically reduces phishing and social engineering risk — the most common attack vectors.

❌ None confirmedNo Controls ConfirmedA critical gap. Request the vendor's Information Security Policy and most recent risk assessment as a minimum.

❓ Not yet assessedControls Not AssessedUnassessed = unmanaged risk. Add control verification to your vendor onboarding checklist.

Section 03 — Security Controls · Question 3 of 3

How does this vendor access your systems or data? (Select all that apply)

🔌 API integrationAPI IntegrationProgrammatic access to read/write your data. Review exactly which API scopes and permissions are granted — apply least privilege.

🌐 VPN / Remote accessVPN / Remote AccessNetwork-level access to your systems. Ensure it is time-limited, logged, and uses MFA. Review regularly.

💻 Vendor-managed portal / platformVendor-Managed PortalYour data lives in their environment. Verify their security controls, data residency, and backup procedures.

🏢 Physical / on-site accessPhysical / On-Site AccessRequires physical security controls — access logs, escorting policy, and clear rules about what can be accessed.

📧 Email / file transfer onlyEmail / File TransferLower risk than system access, but data can still be exposed if email is unencrypted or files are not password-protected.

🚫 No direct system accessNo Direct System AccessSignificantly reduces the attack surface. Still assess the vendor's handling of any data they receive.

Section 04 — Operational Risk · Question 1 of 2

How critical is this vendor to your business operations?

🔴 Critical — operations stop without themMission CriticalIf this vendor is unavailable, your operations stop entirely. Highest priority for contractual SLAs, BCP review, and contingency planning.

🟠 High — major disruption if unavailableHigh CriticalityMajor operational disruption if unavailable. Should have defined recovery plans and alternative supplier options.

🟡 Medium — some disruption but manageableMedium CriticalitySome disruption if unavailable but operations can continue. Important to monitor but lower priority than critical vendors.

🟢 Low — easily replaced or minimal impactLow CriticalityMinimal impact if unavailable — easily replaced. Still requires a basic security assessment.

Section 04 — Operational Risk · Question 2 of 2

Does the vendor have a documented business continuity or disaster recovery plan? (Select all that apply)

✅ Yes — BCP/DRP confirmed and evidencedBCP Confirmed & EvidencedBest practice — vendor has a tested Business Continuity Plan and can provide documentation and test results.

📄 Claimed but not yet evidencedClaimed But Not EvidencedWords without proof. Request the actual BCP document and most recent test results before accepting this claim.

📋 SLA / uptime commitments defined in contractSLA / Uptime CommitmentsSLAs define uptime guarantees and penalties but are not the same as a full BCP. Check what remedies exist for SLA breaches.

🔄 Redundant systems / multi-region hostingRedundant / Multi-Region SystemsRedundancy and multi-region hosting significantly reduce single-point-of-failure risk. Ask where specifically.

❌ No BCP/DRP in place or evidencedNo BCP in PlaceA critical gap for any vendor with medium or higher operational criticality. Escalate this during onboarding.

❓ UnknownBCP Status UnknownAlways verify during onboarding. Include BCP/DRP documentation as a required submission in your vendor questionnaire.

Section 05 — Compliance & Legal · Question 1 of 3

Which compliance frameworks or regulations apply to YOUR organisation? (Select all that apply)

📋 ISO 27001 — Information SecurityISO 27001Requires formal third-party supplier risk management under Annex A.15. Vendor assessments and contracts are mandatory controls.

🔐 SOC 2 — Service Organisation ControlsSOC 2Trust Services Criteria require you to monitor and manage vendors who can affect your security, availability, or confidentiality controls.

🇿🇦 POPIA — Protection of Personal Information Act (SA)POPIA – South AfricaSection 21 requires operators to process data only under written authorisation and to implement sufficient security measures.

🇪🇺 GDPR — General Data Protection Regulation (EU)GDPR – European UnionArticle 28 mandates a Data Processing Agreement with all processors. Non-compliance penalties reach 4% of global annual turnover.

🌍 NDPA / Local DPA — Other African data protection lawsAfrican Data Protection LawsNigeria, Kenya, Ghana, and others have enacted data protection laws. Requirements vary — check country-specific obligations.

🏥 HIPAA — Health data (US)HIPAA – US Health DataRequires Business Associate Agreements (BAAs) with any vendor accessing protected health information (PHI).

💳 PCI DSS — Payment card industryPCI DSS – Payment CardsMandates strict vendor management for any third party in the payment card data environment.

🏦 DORA — Digital Operational Resilience Act (EU Financial)DORA – EU FinancialRequires EU financial entities to manage ICT third-party risk with specific contractual clauses and concentration risk reporting.

🛡️ NIS2 — Network & Information Systems (EU)NIS2 – EU CybersecurityExtends to supply chain security — organisations must assess and manage cybersecurity risks from their suppliers.

🇺🇸 NIST CSF — Cybersecurity Framework (US)NIST Cybersecurity FrameworkThe ID.SC (Supply Chain Risk Management) category requires formal processes for identifying and managing third-party risks.

☁️ ISO 27017 — Cloud SecurityISO 27017 – Cloud SecurityExtends ISO 27001 with cloud-specific controls for both cloud service providers and cloud service customers.

🔏 ISO 27018 — Cloud PrivacyISO 27018 – Cloud PrivacyControls for protecting personal data in public cloud computing — important when vendors process PII in cloud environments.

🇺🇸 CCPA — California Consumer Privacy ActCCPA – California PrivacyGrants California consumers rights over their data. Applies if you serve California residents — requires vendor agreements.

🇬🇧 Cyber Essentials / Cyber Essentials Plus (UK)Cyber Essentials (UK)UK government-backed scheme covering 5 basic controls. Often required for UK public sector contracts.

❓ None / Not yet determinedNo Framework YetEven without a formal framework, vendor risk management is considered industry best practice and reduces liability.

Section 05 — Compliance & Legal · Question 2 of 3

Are you aware of any past security incidents involving this vendor? (Select all that apply)

💥 Known data breach or cyber incidentKnown Data BreachA prior breach significantly increases risk. Assess what remediation was done and whether the root cause has been resolved.

⚖️ Regulatory fine or enforcement actionRegulatory Fine / ActionIndicates the vendor has previously failed compliance obligations. A significant red flag requiring deeper due diligence.

🏛️ Legal dispute or litigation related to dataLegal Dispute – Data RelatedData-related legal disputes may indicate poor data handling practices, privacy violations, or contractual failures.

⚡ Major outage or service disruptionMajor Outage / DisruptionReveals potential gaps in business continuity. Ask what the root cause was and what remediation was implemented.

✅ None that I am aware ofNo Known IncidentsPositive, but absence of evidence is not evidence of absence. Always run an independent breach check.

❓ Unknown — not yet checkedIncident History UnknownAlways check breach databases and request a self-disclosure statement. Unknown history = unmanaged risk.

Section 05 — Compliance & Legal · Question 3 of 3

What formal agreements are in place with this vendor? (Select all that apply)

📄 Signed contract / MSASigned Contract / MSAA Master Services Agreement establishes the legal relationship, liability limits, termination rights, and governing law.

🔏 Data Processing Agreement (DPA)Data Processing AgreementMandatory under POPIA and GDPR when a vendor processes personal data on your behalf. Must include sub-processor provisions.

🤐 Non-Disclosure Agreement (NDA)Non-Disclosure AgreementProtects confidential information shared during the vendor relationship. Should survive termination of the contract.

📊 Service Level Agreement (SLA)Service Level AgreementDefines uptime, response times, and performance metrics — and what happens (penalties, credits) if they are not met.

🛡️ Security addendum / Information Security scheduleSecurity Schedule / Addendum defines your minimum security requirements the vendor must contractually meet and maintain.

❌ No formal agreements in placeNo Formal AgreementsA critical gap — without agreements you have no legal recourse, no defined obligations, and no liability framework.

Section 06 — Fourth-Party Risk · Question 1 of 1

Do you know whether this vendor uses subcontractors or subprocessors who may access your data? (Select all that apply)

✅ Yes — subprocessors disclosed and documentedSubprocessors DisclosedBest practice — you know exactly who can access your data through this vendor. Ensure each is also assessed.

⚠️ Known subprocessors but not formally disclosedKnown subprocessors that are not formally disclosed create legal and compliance exposure under GDPR Article 28 and POPIA.

☁️ Uses major cloud providers (AWS / Azure / GCP)Uses Major Cloud ProvidersAWS, Azure, and GCP are generally well-secured, but confirm data residency, region, and encryption key management.

🚫 No subprocessors usedNo SubprocessorsSimplifies the supply chain risk picture — data only passes through this vendor, reducing fourth-party risk.

❓ Unknown — not assessedSubprocessors UnknownUnknown subprocessors = unknown risk. Always request a complete subprocessor register as part of your DPA.

Strengthening Cybersecurity.
Enabling Compliance.
Building Trust.

Three Areas. Maximum Impact.

Cybersecurity Assessments

Compliance Readiness

Third-Party Risk Management

Introducing VendorGuard

From Vendor Import to Audit-Ready Report in Minutes

Connect Your Systems

Build Your Vendor Register

Run AI Risk Assessments

Real Data from Live Sources

Get Actionable Risk Reports

Monitor Continuously

Transparent Plans for Every Organisation

Tell Us About Your Vendor

New Vendor

Existing Vendor

Vendor Name

Detailed Findings & Remediation Roadmap

ISO 27001 Evidence Package

Full Report Locked

Monitor this vendor continuously

Vendor Name

Need help remediating these findings?

Vendor Risk Intelligence Platform

Manage Your Vendors

Drop your vendor list here

Live Security Feed

Alert Summary

Intelligence Sources

Affected Vendors

Ask About Your Vendor Risk

Connect Your Systems

Automation Trigger

Sync Controls

Custom Integration Builder

Connection Preview

Strengthening Cybersecurity.Enabling Compliance.Building Trust.

Three Areas. Maximum Impact.

Cybersecurity Assessments

Compliance Readiness

Third-Party Risk Management

Introducing VendorGuard

From Vendor Import to Audit-Ready Report in Minutes

Connect Your Systems

Build Your Vendor Register

Run AI Risk Assessments

Real Data from Live Sources

Get Actionable Risk Reports

Monitor Continuously

Transparent Plans for Every Organisation

Tell Us About Your Vendor

New Vendor

Existing Vendor

Vendor Name

Detailed Findings & Remediation Roadmap

ISO 27001 Evidence Package

Full Report Locked

Monitor this vendor continuously

Vendor Name

Need help remediating these findings?

Vendor Risk Intelligence Platform

Manage Your Vendors

Drop your vendor list here

Live Security Feed

Alert Summary

Intelligence Sources

Affected Vendors

Ask About Your Vendor Risk

Connect Your Systems

Automation Trigger

Sync Controls

Custom Integration Builder

Connection Preview

Strengthening Cybersecurity.
Enabling Compliance.
Building Trust.