--- title: Playbooks | Clarative description: Playbooks are the foundation of your vendor due diligence process in Clarative. They define the criteria, controls, and questions used to assess vendor compliance with your organization's security and risk requirements. --- ## What is a Playbook? A **playbook** is a reusable collection of assessment criteria organized into sections that evaluate whether a vendor meets your organization’s risk management standards. Think of it as your vendor assessment blueprint—defining what “good” looks like for your organization. Playbooks enable you to: - **Standardize assessments** across different vendors and teams - **Scale your due diligence** process with AI-powered automation - **Maintain consistency** in how you evaluate vendor risk - **Customize requirements** based on vendor type, use case, or risk domain - **Leverage industry frameworks and regulatory guidance** like MVSP, NIST, OWASP, DORA, OCC, NYDFS and more Organizations typically maintain multiple playbooks for different scenarios, such as: - High-risk vs. low-risk vendors - SaaS vendors vs. consulting firms - Data processors vs. sub-processors - Domain-specific assessments (security, privacy, compliance) --- ## Playbook Anatomy Understanding the structure of a playbook helps you build effective assessments. ### Sections **Sections** organize your playbook into logical risk domains or control categories. Sections help reviewers navigate the assessment and allow you to focus on specific risk areas. ### Criteria **Criteria** are the individual requirements that determine vendor compliance. Each criterion represents a specific control or policy you expect the vendor to have in place. A criterion includes: - **Title**: A clear, descriptive name (e.g., “Single Sign-On (SSO) Capability”) - **Pass/Partial Pass/Fail Instructions**: Detailed conditions that define what constitutes compliance Tip **Good criteria are:** - **Specific and measurable**: “Vendor supports SSO via OIDC and SAML 2.0” instead of “Vendor has secure authentication” - **Outcome-focused**: Define what evidence you need to see - **Risk-aligned**: Criteria should match your organization’s actual risk tolerance - **Verifiable**: Written so AI and humans can clearly determine pass/fail from documentation or questionnaire responses ### Questions **Questions** are used to gather information from vendors that may not be available in their documentation. Each criterion can have multiple associated questions. Questions appear in the **Vendor Portal** when you send a questionnaire to the vendor. They should: - Request specific information needed to evaluate the criterion - Be clear and unambiguous - Avoid asking for information already in standard documents (like SOC 2 reports) - Guide vendors to provide evidence in a structured format --- ## Creating a Playbook Clarative offers three ways to create playbooks, each suited to different workflows. ### Method 1: Upload an Existing Questionnaire If you already have vendor questionnaires or vendor requirement policies in Excel, Word, or PDF format, you can upload them to generate a playbook automatically. 1. Navigate to **Playbook Library** 2. Click **Create Playbook** → **Upload Policies** 3. Upload your file 4. Clarative’s AI extracts questions and generates criteria 5. Review and refine the generated playbook **Best for:** Migrating existing assessment templates to Clarative quickly. ### Method 2: Start from a Template Clarative provides pre-configured playbook templates based on common frameworks and regulatory requirements. **Available templates include:** - Default Security - Based on the Minimal Viable Secure Product (MVSP) guidelines published by Google, Salesforce, Okta, and others, as well as NIST standards - Privacy - Based on common privacy requirements from regulations like GDPR and CCPA - AI/ML Risk - Based on OWASP’s LLM security guidelines - DORA ICT - Based on due diligence requirements from the DORA regulations **How it works:** 1. Navigate to **Playbook Library** 2. Click **Create Playbook** → **Start from Template** 3. Select a template 4. Customize sections, criteria, and questions to your needs **Best for:** Starting with industry-standard frameworks and tailoring to your requirements. ### Method 3: Build from Scratch For complete control, create a playbook from the ground up. **How it works:** 1. Navigate to **Playbook Library** 2. Click **Create Playbook** → **Start from Scratch** 3. Add sections to organize your assessment 4. Add criteria using the **Criteria Library** or create custom criteria 5. Configure pass/fail conditions and add questions **Best for:** Highly specialized assessments or unique organizational requirements. ![Playbook Configuration](/_astro/edit_playbook.BQhpyYQ3_wowQe.webp) --- ## The Criteria Library The **Criteria Library** is Clarative’s repository of pre-built, industry-standard criteria that you can add to your playbooks. It includes criteria mapped to major frameworks like NIST, regulations like DORA, and guidance from regulatory agencies like OCC and NYDFS. **How to use:** 1. When editing a playbook, click **Criteria Library** in the right sidebar 2. Search the Criteria Library by keyword, framework tag, or risk domain 3. Select relevant criteria to add to your playbook 4. Customize as needed for your specific requirements --- ## Best Practices for Writing Playbooks Creating effective playbooks requires balancing comprehensiveness with practicality. Follow these guidelines to build playbooks that deliver accurate, efficient assessments. - **Be Specific:** Define specific criteria that a vendor must fulfill to meet your organization’s risk management bar. “Vendor supports SSO via OIDC and SAML 2.0” is a more verifiable criterion than “Vendor authentication is secure”. - **Clear Instructions:** Write instructions that are specific and actionable to ensure consistent AI classification. - **Use Questions Where Documentation is Insufficient**: Criteria prompts are great for assessing documentation, but you may need risk information that requires asking questions. Include questions like “Have you had a security breach in the last 6 months?” to gather risk information that will not be included in documentation. - **Update Regularly:** As your risk appetite changes, or as you request new types of evidence, regularly update your playbooks. #### Examples - **Access & Identity Management** - `Comprehensive Access Management Lifecycle` - Criterion: > The vendor provides clear policies and procedures for user and service account provisioning, modification, and revocation, demonstrating formal authorization, least privilege enforcement, and accurate logging of all changes. Evidence includes documented access approval workflows, role-based access configurations, regular access review reports showing timely remediation of unneeded access, and audit logs confirming deactivation for terminated accounts within defined SLAs. The process should integrate security posture changes and ensure technical enforcement of controls. - Quesion: > Describe your processes and controls for user and service account provisioning, modification, and deactivation, including how you enforce least privilege and separation of duties. Please provide relevant policy or procedure documents. - `Strong Authentication & Multi-Factor Authentication for User Access` - Criterion: > The vendor provides clear documentation (policies, security configurations, audit reports) demonstrating mandatory multi-factor authentication (MFA) for all remote access, privileged user access, administrative access, and access to sensitive data. Evidence should confirm the consistent application of strong authentication requirements across all access methods (e.g., local, network, remote) for all personnel, utilizing at least two distinct authentication factors. - Question:: > Do you enforce mandatory multi-factor authentication (MFA) for all remote access, privileged user access, administrative access, and access to sensitive data? - `Single Sign-On (SSO) Capability` - Criterion: > The vendor’s offering must provide robust SSO capabilities, allowing customers to integrate with standard federated identity providers. This functionality should empower customers to enforce their own security policies, such as multi-factor authentication and centralized account deactivation. Crucially, SSO should be offered as a standard feature without any additional cost to the customer. Evidence should include official documentation detailing SSO support, a list of compatible identity providers, and explicit confirmation of its no-cost inclusion. - Question: > Does your product or service support Single Sign-On (SSO) integration with standard federated identity providers as a standard feature at no additional cost? - Question: > Which SSO protocols are supported? ![Criteria Configuration](/_astro/edit_playbook_criteria.qQIHW91Y_ZRcunO.webp) ### Maintain and Iterate Playbooks are living documents. Update them as: - Your risk requirements change - New threats emerge - Frameworks are updated - You learn what works from past assessments **Recommended:** Review playbooks quarterly and after every 5-10 assessments to identify improvement opportunities. --- ## Tagging and Organization Use **tags** to organize playbooks in the Playbook Library for easy discovery and reuse. **Common tag categories:** - **Framework/Regulation**: NIST, DORA, NYDFS - **Risk Level**: High-Risk, Medium-Risk, Low-Risk - **Vendor Type**: SaaS, Infrastructure, Consulting - **Domain**: Security, Privacy, Compliance, Finance --- ## Need Help? Contact support at ****.