Vendor Risk & Trust

Questionnaires

Build, manage, and distribute security questionnaires to vendors for comprehensive risk assessment

What are Questionnaires?

Questionnaires are structured security assessments that you send to vendors to collect information about their security posture, compliance status, and operational practices. They consist of sections containing questions that vendors answer through a secure portal. The responses are then used to calculate residual risk scores.

Structured Assessment

Organize questions into sections by domain (e.g., Security Governance, Data Protection, Incident Response) for better organization and analysis.

Automated Scoring

Questions can have weights and scores that automatically contribute to residual risk calculations based on vendor responses.

Question Types

Yes/No

Simple binary questions for quick vendor responses

Use Case: Ideal for compliance questions like "Do you have a security policy?"

Multiple Choice

Questions with predefined options and scoring

Use Case: Perfect for questions like "How often do you perform security audits?" with options: Monthly, Quarterly, Annually

Text

Open-ended questions for detailed responses

Use Case: Use for descriptions, explanations, or detailed security procedures

Rating

Numeric rating scales (typically 1-5 or 1-10)

Use Case: Evaluate security maturity levels or implementation quality

File Upload

Allow vendors to upload documents as responses

Use Case: Request certifications, audit reports, or security documentation

Creating a Questionnaire

Step-by-Step Guide

Build a comprehensive security questionnaire from scratch

Access Questionnaire Builder

Navigate to Vendor Risk → Questionnaires → Click "Create Questionnaire" or open an existing questionnaire to edit.

Set Basic Information

In the "Basic Information" tab, provide:

Questionnaire Name

A descriptive name (e.g., "Vendor Security Assessment 2025")

Description

Overview of the questionnaire's purpose and scope

Applicable Tiers

Select which vendor tiers this questionnaire applies to (Tier 1, Tier 2, Tier 3, Tier 4, or All Tiers)

Public/Private

Set whether the questionnaire is publicly accessible or requires specific access

Create Sections

Organize questions into sections. Click "Add Section" and provide:

Section Title: Name of the section (e.g., "Security Governance")
Description: Brief explanation of what this section covers
Department: Associated department or domain
Order: Display order of the section

Add Questions

For each section, click "Add Question" and configure:

Question Text *

The actual question (e.g., "Do you have a documented security policy?")

Question Type *

Select from: Yes/No, Multiple Choice, Text, Rating, or File Upload

Question Code

Unique identifier (e.g., "SG-POL-1" for Security Governance Policy Question 1)

Domain

Security domain (e.g., "Security Governance", "Data Protection")

Is Required

Whether vendors must answer this question

Weight

Numerical weight for scoring (higher weight = more impact on risk score)

Applicable Tiers

Which vendor tiers should see this question (Tier 1-4, or All Tiers)

Configure Multiple Choice Options

For Multiple Choice questions, add options:

Option Text: What vendors see (e.g., "Monthly")
Value (Optional): Internal value (auto-generated if not provided)
Order: Display order of the option
Score: Risk score assigned if this option is selected

You can add multiple options by clicking "Add Option" multiple times. The Value field is optional - if left empty, it will be auto-generated from the Option Text.

Save and Publish

Once all sections and questions are added, click "Save" to save the questionnaire. You can keep it as a draft or publish it for use.

Importing Questionnaires from CSV

Bulk Import Guide

Import questionnaires from CSV files for faster questionnaire creation

Download Template

Navigate to Vendor Risk → Questionnaires →Import. Click "Download Template" to get a CSV template with example data and column structure.

CSV Template Columns:

• questionnaire_name

• section_title

• question_code

• question_type

• question_weight

• option_text

• option_value

• option_score

Fill in CSV Data

Using Excel or a text editor, fill in the template:

First row: Section header (fill in section_title, section_description, section_department, section_order)
Subsequent rows: Questions (fill in question_code, question_text, question_type, etc.)
For Multiple Choice: Add additional rows for each option (leave question columns empty, fill option columns)
Ensure all rows have exactly 19 columns (empty cells are fine)

Upload and Import

Click "Choose File", select your filled CSV, and click"Import Questionnaire". The system will validate the data and create the questionnaire with all sections and questions.

CSV Format Tips: The template includes example rows showing the correct format. For multiple-choice questions, the first option appears on the same row as the question, and subsequent options appear on separate rows with empty question columns. All rows must have 19 columns for proper alignment.

Sending Questionnaires to Vendors

Distribution Process

Send questionnaires to vendors via secure portal links

Navigate to Vendor

Go to the vendor detail page where you want to send the questionnaire.

Open Send Dialog

Click "Send Questionnaire" button (available in the Questionnaires or Assessments tab). This opens a dialog to select which questionnaire to send.

Select Questionnaire

Choose the questionnaire from the dropdown list. Only questionnaires applicable to the vendor's tier will be shown.

Send and Notify

Click "Send". The system generates a secure access token and sends an email notification to the vendor with the questionnaire link. Vendors can complete the questionnaire without creating an account.

Reviewing Questionnaire Responses

Analyst Review Process

Review and validate vendor questionnaire responses before creating assessments

After a vendor completes a questionnaire, analysts must review the responses before creating a risk assessment. This ensures data quality and accuracy.

Access Review Page

From the vendor detail page → Assessments tab, click "Review Responses"button on any assessment that has a linked questionnaire response.

Set Applicability

For each question, set applicability:

Applicable: Question is relevant and should be scored
Not Applicable: Question doesn't apply to this vendor
Partially Applicable: Question applies but with some limitations

Add Analyst Comments

Add comments to questions to provide context, note concerns, or explain why a question is not applicable. Comments are useful for audit trails and future reference.

Save Review

Once all questions are reviewed, save the review. You can now create a risk assessment linked to this questionnaire response, and the system will use the reviewed responses for risk calculation.

Next Steps

Risk Assessment

Learn how to create risk assessments from questionnaire responses and calculate residual risk

Learn About Assessments

Scoring Methods

Configure how questionnaire responses are converted into risk scores

Learn About Scoring

Need Help?

Our support team is here to help you with questionnaires.

Contact Support Continue to Assessments