Outgoing Questionnaires
Overview
Outgoing questionnaires are security assessments that your organization sends to vendors, partners, or service providers to evaluate their security posture and compliance status. This process, often called vendor due diligence, is a critical component of third-party risk management. The AskInfosec Security Questionnaire Automation platform streamlines the creation, distribution, and analysis of these questionnaires.
Prerequisites
Before creating an outgoing questionnaire, you need to:
Set up vendor profiles - Ensure the vendor is added to your vendor management system
Determine assessment scope - Identify the appropriate level of scrutiny based on the vendor's access to your data and systems
Prepare questionnaire template - Select or create a template appropriate for the vendor's service type
Workflow
The typical workflow for outgoing questionnaires consists of the following steps:
Create - Set up a new questionnaire and select the appropriate template
Customize - Modify the questionnaire to address specific vendor risks
Assign - Designate internal reviewers for the vendor's responses
Send - Distribute the questionnaire to the vendor
Monitor - Track the vendor's progress in completing the questionnaire
Review - Evaluate the vendor's responses and supporting evidence
Analyze - Assess the vendor's security posture based on their responses
Creating an Outgoing Questionnaire
Setting Up the Questionnaire
Navigate to the Questionnaires section in the main navigation
Click the Add Questionnaire button
Select Outgoing as the questionnaire type
Fill in the basic information:
Questionnaire Name - Provide a descriptive name (e.g., "Vendor X Security Assessment 2023")
Due Date - Set a deadline for the vendor to complete the questionnaire
Scope - Select "Outgoing" from the scope dropdown
Vendor - Select the vendor from your vendor directory
Internal Reviewers - Add team members who will review the vendor's responses
Click Next to proceed to the template selection
Selecting a Template
The platform offers several standard questionnaire templates:
Basic Security Assessment - A lightweight questionnaire for low-risk vendors
Comprehensive Security Assessment - A detailed questionnaire for high-risk vendors
Industry-Specific Templates - Specialized questionnaires for healthcare, finance, etc.
Custom Templates - Your organization's custom questionnaire templates
To select a template:
Browse the available templates
Select the most appropriate template for your vendor assessment
Preview the template to ensure it covers all necessary security domains
Click Next to proceed to customization
Customizing the Questionnaire
Tailor the questionnaire to address specific risks associated with the vendor:
Review the questions included in the template
Add additional questions relevant to the vendor's service
Remove questions that don't apply to the vendor's service
Adjust question priorities based on your risk assessment
Click Next to proceed to the final review
Final Review
Review the questionnaire details before sending:
Verify the questionnaire name and due date
Confirm the vendor information is correct
Check the list of internal reviewers
Review the selected questions
Click Create to finalize the questionnaire
Sending the Questionnaire to Vendors
Vendor Invitation
Before sending a questionnaire, you need to invite the vendor to the platform:
From the questionnaire details page, click Send to Vendor
Verify the vendor's contact information
Customize the invitation message
Click Send Invitation
The vendor will receive an email with instructions to access the questionnaire.
Tracking Invitation Status
Monitor the status of your vendor invitations:
Navigate to the Vendors section
Check the Invitation Status column
Statuses include:
Pending - Invitation sent but not yet accepted
Accepted - Vendor has registered and accessed the platform
Expired - Invitation link has expired
Resend invitations as needed by clicking the Resend button
Monitoring Vendor Progress
Questionnaire Status Dashboard
Track the completion status of all outgoing questionnaires:
Navigate to the Questionnaires section
Filter by Outgoing type
View the status of each questionnaire:
Not Started - Vendor has not begun the questionnaire
In Progress - Vendor is actively working on responses
Submitted - Vendor has completed and submitted responses
Under Review - Your team is reviewing the responses
Completed - Review is finished and assessment is complete
Detailed Progress View
For a specific questionnaire, you can view detailed progress:
Click on the questionnaire name to open the details page
View the Progress tab to see:
Percentage of questions answered
Questions grouped by status
Last activity timestamp
Send reminders to vendors if progress is slow
Reviewing Vendor Responses
Response Review Process
Once a vendor submits their responses, your team can begin the review process:
Navigate to the submitted questionnaire
Click the Review button to enter review mode
For each question:
Read the vendor's response
Review attached evidence
Mark the response as Accepted, Needs Clarification, or Insufficient
Add comments explaining your assessment
Request additional information from the vendor if needed
Requesting Clarification
If a vendor's response is unclear or incomplete:
Select the question requiring clarification
Click the Request Clarification button
Enter specific questions or requests for additional information
Click Send to notify the vendor
The vendor will receive a notification and can provide additional information.
Accepting Vendor Responses
To accept a vendor's response:
Review the response and supporting evidence
If satisfied, click the Accept button
Add optional notes about your acceptance decision
The response status will update to Accepted
Risk Assessment
Scoring Vendor Responses
The platform automatically calculates risk scores based on vendor responses:
Each question is assigned a risk weight
Responses are evaluated against expected answers
The system calculates domain-specific and overall risk scores
Scores are displayed on the Risk Assessment tab
Risk Dashboard
The Risk Dashboard provides a visual representation of vendor risk:
Navigate to the Risk Assessment tab
View risk scores across different security domains:
Access Control
Data Protection
Incident Response
Business Continuity
And more
Identify high-risk areas requiring remediation
Comparative Analysis
Compare a vendor's security posture against:
Industry benchmarks
Your organization's requirements
Previous assessments of the same vendor
Other vendors providing similar services
Remediation Management
Identifying Gaps
Identify security gaps in the vendor's controls:
Navigate to the Gaps tab
Review the list of identified security gaps
Prioritize gaps based on risk level
Create remediation plans for high-priority gaps
Creating Remediation Plans
For each identified gap:
Click Create Remediation Plan
Specify the required remediation actions
Set deadlines for completion
Assign responsibility (vendor or internal team)
Click Save to create the plan
Tracking Remediation Progress
Monitor the vendor's progress in addressing security gaps:
Navigate to the Remediation tab
View the status of each remediation item
Send reminders for approaching deadlines
Request evidence of completed remediation actions
Reporting
Generating Vendor Assessment Reports
Create comprehensive reports on vendor security assessments:
From the questionnaire details page, click Generate Report
Select the report type:
Executive Summary - High-level overview for leadership
Detailed Assessment - Comprehensive analysis for security teams
Compliance Report - Focused on regulatory compliance
Choose report format (PDF, Excel, Word)
Click Generate to create the report
Scheduled Reports
Set up recurring reports for ongoing vendor monitoring:
Navigate to the Reports section
Click Schedule Report
Select the report type and format
Set the frequency (weekly, monthly, quarterly)
Specify recipients
Click Save to schedule the report
Best Practices
Questionnaire Design
Tailor questionnaires to the vendor's service type and risk level
Focus on controls relevant to your data and systems
Include both yes/no questions and requests for detailed explanations
Request specific evidence for critical security controls
Vendor Communication
Provide clear instructions and expectations
Set realistic deadlines based on questionnaire complexity
Offer assistance for technical questions
Maintain professional communication throughout the process
Review Process
Involve subject matter experts in reviewing responses
Verify evidence thoroughly for critical controls
Document your assessment rationale
Maintain consistency in evaluation criteria across vendors
Risk Management
Establish clear risk thresholds for vendor acceptance
Develop standard remediation requirements for common gaps
Implement continuous monitoring for high-risk vendors
Regularly reassess vendors based on changing risk profiles
Troubleshooting
Vendor Access Issues
Invitation Not Received: Verify email address and check spam folders
Access Errors: Ensure the vendor is using the correct login credentials
Expired Links: Generate new invitation links as needed
Response Collection Problems
Incomplete Submissions: Send reminders for unanswered questions
Evidence Upload Failures: Check file size and format restrictions
Deadline Extensions: Adjust due dates if vendors need more time
Conclusion
The Outgoing Questionnaires module of the Security Questionnaire Automation platform transforms vendor security assessments from a manual, time-consuming process into an efficient, structured workflow. By leveraging standardized templates, automated scoring, and collaborative review tools, your organization can effectively evaluate vendor security postures and manage third-party risk.
Remember that vendor security assessments are not just a compliance exercise but a critical component of your overall security program. Use the insights gained from these assessments to make informed decisions about vendor relationships and to drive security improvements across your supply chain.
Last updated