Frequently Asked Questions

Calyssa Nowviskie Updated by Calyssa Nowviskie

Adding and Assessing Vendors

How do I add a new vendor or relationship?
You can add a vendor manually by creating a new relationship in the platform, or you can import multiple vendors at once. In addition, you can use Vendor Discovery, where VISO TRUST analyzes uploaded artifacts and trust profiles to automatically identify vendors and subservicers. You can then add these discovered vendors one at a time or in bulk, or simply ignore them if they are out of scope.
πŸ‘‰ Adding Vendors
πŸ‘‰
Vendor Discovery
How do I initiate an assessment?
There are three ways to start an assessment in VISO TRUST.
You can upload artifacts directly, allowing the system to process them instantly with AI.
You can start a collection request to reach out to your vendor and ask for all in-scope documents, a subset of artifacts, or up to 10 ad hoc questions. Collection requests also include advanced settings such as automated follow-ups, response deadlines, and expiration rules.
Finally, you can run a public search, where VISO TRUST automatically finds and applies open-source information such as certifications, compliance attestations, and privacy statements.
πŸ‘‰ Learn more
What is Instant Analysis?
Instant Analysis provides immediate residual risk scores for vendors by analyzing open-source data, historical assessments, predictive analytics, and data recency. Vendors that exist in the VISO TRUST directory will display instant analysis results. Once a full assessment is completed, the AI-validated and auditor-reviewed results replace the predictive scores.
πŸ‘‰ Learn more
What do I do when an assessment is completed?
When an assessment is finished, you can review the residual risk score and the overall summary of the vendor’s security posture. From there, you can accept the risk, override it, or request remediation from the vendor. Based on the outcome, you can update the vendor’s relationship status, such as onboarding them, scheduling recertification, or offboarding if needed.
πŸ‘‰ Learn more

Risk Review and Remediation

How does Risk Review work at the end of an assessment?
Risk Review allows you to take action on the residual risk calculated for a vendor. At this stage, you can override the risk if you have additional context, accept the risk formally, leave an internal comment, or request remediation.

If a vendor does not respond to remediation, the system notifies you and the review options become available again. You can revoke a remediation request at any time, and open requests can be tracked using filters in the relationship list. Risk overrides can also be removed at any point. In addition, onboarding, offboarding, and archiving actions connect to the Risk Review process and may be reversible depending on role and license settings.
πŸ‘‰ Risk Review and Remediation
How do I request remediation?
You can request remediation directly from the Risk Review screen. This sends a request to the vendor to provide additional evidence or address specific issues, and their responses are used to update the assessment.
πŸ‘‰ Risk Review and Remediation
What happens after I send a remediation request?
The vendor is asked to provide additional evidence. Once they respond, the new information is reviewed and may change the residual risk score.
πŸ‘‰ Risk Review and Remediation
What if a vendor does not respond to remediation?
If a vendor does not respond, you are notified and the assessment returns to Risk Review so you can take another action.
πŸ‘‰ Risk Review and Remediation
Can I cancel remediation?
You can cancel a remediation request at any time. The request is closed, and the item returns to Risk Review where you can accept, override, or comment instead.
πŸ‘‰ Risk Review and Remediation
How can I see all open remediation requests?
You can view all open requests by filtering the relationship list in the platform to show remediation items. This filter can be found under More filters > Risk Acceptance
Can I remove a risk override?
Yes. You can remove an override at any time, which restores the system-calculated residual risk score. You need to first revoke risk acceptance and then review risk again.
πŸ‘‰ Risk Review and Remediation

Vendor Risk

What is Inherent Risk?
Inherent Risk is the β€œraw” level of risk a vendor poses before any security controls are applied. It is based on the business case for using the vendor and the type of data they access, which together define the vendor’s threat surface and sensitivity level.
πŸ‘‰ Learn more
What is Residual Risk?
Residual Risk is the level of risk that remains after security controls, certifications, and validations are taken into account. It reflects the vendor’s actual risk posture once their evidence has been reviewed.
πŸ‘‰ Learn more
How does VISO TRUST calculate risk?
Risk scores are calculated in two stages. First, Inherent Risk is set using business context and data sensitivity. Then, Residual Risk is calculated by applying evidence from artifacts and validations against standards such as ISO or SOC 2. The result is a score that balances exposure with mitigations.
πŸ‘‰ Learn more
How do risk scores change over time?
Early in the process, Instant Analysis may provide predictive insights. Once an assessment is completed, Residual Risk is updated based on actual evidence. After that, Continuous Monitoring keeps the risk score current by surfacing new certifications, policy updates, or incidents.
πŸ‘‰ Learn more
Can I override or adjust risk scores?
Yes. During Risk Review, you can override Residual Risk if you have additional context. You can also request remediation, and if the vendor provides new evidence, the Residual Risk score may be recalculated.
πŸ‘‰ Learn more

Follow-Up Questionnaires

What is included in a follow-up questionnaire?
Follow-up questionnaires only include the questions from the original assessment that are either unanswered or unvalidated. Supplemental questions that remain unanswered are also included.
πŸ‘‰ Follow-up questionnaires
Can I change follow-up settings after an assessment starts?
Yes. Follow-up settings can be modified until the follow-up has actually been sent to the vendor.
πŸ‘‰ Follow-up questionnaires
How long do vendors have to respond to a follow-up?
By default, vendors are given seven days to respond to a follow-up, although this can be customized in the settings.
πŸ‘‰ Follow-up questionnaires
What if vendors do not respond to a follow-up?
If vendors do not respond, the assessment will still complete. In such cases, you may choose to request remediation or take other actions as part of your risk review process.
πŸ‘‰ Follow-up questionnaires
How are follow-ups different from remediation?
Follow-ups are meant for quick clarifications and have a short response timeline, while remediation is intended for long-term fixes that may require detailed evidence or supporting artifacts.
πŸ‘‰ Follow-up questionnaires

Supplemental Questionnaires

What if I have my own questions I want to ask the vendor?
If you have a custom set of questions you want to include in your assessments, you should create a supplemental questionnaire. This can be done by going to Settings > Questionnaires in VISO TRUST. Supplemental questionnaires are flexible, user-defined questionnaires that run alongside the standard AI-driven assessment. They are not part of the validated core assessment and do not impact residual risk scores, but they allow your team to capture information that is unique to your security program, industry, or compliance requirements. Once created, your supplemental questionnaire will automatically be included in all future assessments where it applies.

πŸ‘‰ Learn more
Do supplemental questionnaires affect residual risk scores?
No. Supplemental questionnaires do not influence the inherent or residual risk scores for a vendor.
πŸ‘‰ Learn more
Are supplemental responses validated by audit?
No. Responses to supplemental questionnaires are not validated by auditors.
πŸ‘‰ Learn more
How are questionnaire responses obtained?
Responses are first obtained through artifact intelligence. If we could not find answers to the questions in the artifacts, you can follow up with the vendor directly.
πŸ‘‰ Learn more
What happens if I delete a supplemental question?
Deleted supplemental questions are removed from future assessments, but past responses remain intact for record purposes.
πŸ‘‰ Learn more

Continuous Monitoring

What is Continuous Monitoring?
Continuous Monitoring in VISO TRUST is a real-time capability that tracks changes in your vendors’ security posture between formal assessments. It ensures your risk visibility is always up to date, not just at the point in time when an assessment is completed.
πŸ‘‰ Learn more
How does Continuous Monitoring work?
The system automatically pulls in open-source artifacts such as certifications, compliance attestations, and privacy policies. It also detects new risk advisories, vendor announcements, and public news sources that may indicate a change in security posture. These findings are presented in a dedicated Monitoring tab within each vendor relationship. The tab refreshes hourly, so updates are always timely and relevant.
πŸ‘‰ Learn more
What kinds of risks can Continuous Monitoring detect?
Continuous Monitoring can detect when vendor certifications expire, when new compliance artifacts are published, or when important vendor-related news surfaces, such as reported breaches or regulatory findings. It provides early signals that a vendor’s security posture may have changed, helping you respond faster.
πŸ‘‰ Learn more
How does Continuous Monitoring notify me of changes?
Updates appear directly in the Monitoring tab for each vendor relationship. You can also configure custom alerts so stakeholders are notified when significant risks are detected. This ensures the right people are informed immediately, even outside of regular assessment cycles.
πŸ‘‰ Learn more
Does Continuous Monitoring replace assessments?
No. Continuous Monitoring complements assessments. Assessments remain the foundation of third-party risk management, providing a structured, validated view of vendor risk. Continuous Monitoring fills the gap between assessments by providing ongoing updates and early warnings, ensuring your view of vendor risk is always current.
πŸ‘‰ Learn more
When does VISO TRUST send notifications?
VISO TRUST generates notifications for assessment activity, vendor monitoring updates, comments, reminders, and deadlines. Vendors themselves only receive notifications if you specifically request VISO TRUST to reach out to them.
πŸ‘‰ Notifications & Alerts

How did we do?

Starting an Assessment

Contact