Frequently Asked Questions
Updated
by Calyssa Nowviskie
Adding and Assessing Vendors
How do I add a new vendor or relationship?
You can add a vendor manually by creating a new relationship in the platform, or you can import multiple vendors at once. In addition, you can use Vendor Discovery, where VISO TRUST analyzes uploaded artifacts and trust profiles to automatically identify vendors and subservicers. You can then add these discovered vendors one at a time or in bulk, or simply ignore them if they are out of scope.
π Adding Vendors
π Vendor Discovery
π Adding Vendors
π Vendor Discovery
How do I initiate an assessment?
There are three ways to start an assessment in VISO TRUST.
You can upload artifacts directly, allowing the system to process them instantly with AI.
You can start a collection request to reach out to your vendor and ask for all in-scope documents, a subset of artifacts, or up to 10 ad hoc questions. Collection requests also include advanced settings such as automated follow-ups, response deadlines, and expiration rules.
Finally, you can run a public search, where VISO TRUST automatically finds and applies open-source information such as certifications, compliance attestations, and privacy statements.
π Learn more
You can upload artifacts directly, allowing the system to process them instantly with AI.
You can start a collection request to reach out to your vendor and ask for all in-scope documents, a subset of artifacts, or up to 10 ad hoc questions. Collection requests also include advanced settings such as automated follow-ups, response deadlines, and expiration rules.
Finally, you can run a public search, where VISO TRUST automatically finds and applies open-source information such as certifications, compliance attestations, and privacy statements.
π Learn more
What is Instant Analysis?
Instant Analysis provides immediate residual risk scores for vendors by analyzing open-source data, historical assessments, predictive analytics, and data recency. Vendors that exist in the VISO TRUST directory will display instant analysis results. Once a full assessment is completed, the AI-validated and auditor-reviewed results replace the predictive scores.
π Learn more
π Learn more
What do I do when an assessment is completed?
When an assessment is finished, you can review the residual risk score and the overall summary of the vendorβs security posture. From there, you can accept the risk, override it, or request remediation from the vendor. Based on the outcome, you can update the vendorβs relationship status, such as onboarding them, scheduling recertification, or offboarding if needed.
π Learn more
π Learn more
Risk Review and Remediation
How does Risk Review work at the end of an assessment?
Risk Review allows you to take action on the residual risk calculated for a vendor. At this stage, you can override the risk if you have additional context, accept the risk formally, leave an internal comment, or request remediation.
If a vendor does not respond to remediation, the system notifies you and the review options become available again. You can revoke a remediation request at any time, and open requests can be tracked using filters in the relationship list. Risk overrides can also be removed at any point. In addition, onboarding, offboarding, and archiving actions connect to the Risk Review process and may be reversible depending on role and license settings.
π Risk Review and Remediation
If a vendor does not respond to remediation, the system notifies you and the review options become available again. You can revoke a remediation request at any time, and open requests can be tracked using filters in the relationship list. Risk overrides can also be removed at any point. In addition, onboarding, offboarding, and archiving actions connect to the Risk Review process and may be reversible depending on role and license settings.
π Risk Review and Remediation
How do I request remediation?
You can request remediation directly from the Risk Review screen. This sends a request to the vendor to provide additional evidence or address specific issues, and their responses are used to update the assessment.
π Risk Review and Remediation
π Risk Review and Remediation
What happens after I send a remediation request?
The vendor is asked to provide additional evidence. Once they respond, the new information is reviewed and may change the residual risk score.
π Risk Review and Remediation
π Risk Review and Remediation
What if a vendor does not respond to remediation?
If a vendor does not respond, you are notified and the assessment returns to Risk Review so you can take another action.
π Risk Review and Remediation
π Risk Review and Remediation
Can I cancel remediation?
You can cancel a remediation request at any time. The request is closed, and the item returns to Risk Review where you can accept, override, or comment instead.
π Risk Review and Remediation
π Risk Review and Remediation
How can I see all open remediation requests?
You can view all open requests by filtering the relationship list in the platform to show remediation items. This filter can be found under More filters > Risk Acceptance
Can I remove a risk override?
Yes. You can remove an override at any time, which restores the system-calculated residual risk score. You need to first revoke risk acceptance and then review risk again.
π Risk Review and Remediation
π Risk Review and Remediation
Vendor Risk
What is Inherent Risk?
Inherent Risk is the βrawβ level of risk a vendor poses before any security controls are applied. It is based on the business case for using the vendor and the type of data they access, which together define the vendorβs threat surface and sensitivity level.
π Learn more
π Learn more
What is Residual Risk?
Residual Risk is the level of risk that remains after security controls, certifications, and validations are taken into account. It reflects the vendorβs actual risk posture once their evidence has been reviewed.
π Learn more
π Learn more
How does VISO TRUST calculate risk?
Risk scores are calculated in two stages. First, Inherent Risk is set using business context and data sensitivity. Then, Residual Risk is calculated by applying evidence from artifacts and validations against standards such as ISO or SOC 2. The result is a score that balances exposure with mitigations.
π Learn more
π Learn more
How do risk scores change over time?
Early in the process, Instant Analysis may provide predictive insights. Once an assessment is completed, Residual Risk is updated based on actual evidence. After that, Continuous Monitoring keeps the risk score current by surfacing new certifications, policy updates, or incidents.
π Learn more
π Learn more
Can I override or adjust risk scores?
Yes. During Risk Review, you can override Residual Risk if you have additional context. You can also request remediation, and if the vendor provides new evidence, the Residual Risk score may be recalculated.
π Learn more
π Learn more
Follow-Up Questionnaires
What is included in a follow-up questionnaire?
Follow-up questionnaires only include the questions from the original assessment that are either unanswered or unvalidated. Supplemental questions that remain unanswered are also included.
π Follow-up questionnaires
π Follow-up questionnaires
Can I change follow-up settings after an assessment starts?
Yes. Follow-up settings can be modified until the follow-up has actually been sent to the vendor.
π Follow-up questionnaires
π Follow-up questionnaires
How long do vendors have to respond to a follow-up?
By default, vendors are given seven days to respond to a follow-up, although this can be customized in the settings.
π Follow-up questionnaires
π Follow-up questionnaires
What if vendors do not respond to a follow-up?
If vendors do not respond, the assessment will still complete. In such cases, you may choose to request remediation or take other actions as part of your risk review process.
π Follow-up questionnaires
π Follow-up questionnaires
How are follow-ups different from remediation?
Follow-ups are meant for quick clarifications and have a short response timeline, while remediation is intended for long-term fixes that may require detailed evidence or supporting artifacts.
π Follow-up questionnaires
π Follow-up questionnaires
Supplemental Questionnaires
What if I have my own questions I want to ask the vendor?
If you have a custom set of questions you want to include in your assessments, you should create a supplemental questionnaire. This can be done by going to Settings > Questionnaires in VISO TRUST. Supplemental questionnaires are flexible, user-defined questionnaires that run alongside the standard AI-driven assessment. They are not part of the validated core assessment and do not impact residual risk scores, but they allow your team to capture information that is unique to your security program, industry, or compliance requirements. Once created, your supplemental questionnaire will automatically be included in all future assessments where it applies.
π Learn more
π Learn more
Do supplemental questionnaires affect residual risk scores?
No. Supplemental questionnaires do not influence the inherent or residual risk scores for a vendor.
π Learn more
π Learn more
Are supplemental responses validated by audit?
No. Responses to supplemental questionnaires are not validated by auditors.
π Learn more
π Learn more
How are questionnaire responses obtained?
Responses are first obtained through artifact intelligence. If we could not find answers to the questions in the artifacts, you can follow up with the vendor directly.
π Learn more
π Learn more
What happens if I delete a supplemental question?
Deleted supplemental questions are removed from future assessments, but past responses remain intact for record purposes.
π Learn more
π Learn more
Continuous Monitoring
What is Continuous Monitoring?
Continuous Monitoring in VISO TRUST is a real-time capability that tracks changes in your vendorsβ security posture between formal assessments. It ensures your risk visibility is always up to date, not just at the point in time when an assessment is completed.
π Learn more
π Learn more
How does Continuous Monitoring work?
The system automatically pulls in open-source artifacts such as certifications, compliance attestations, and privacy policies. It also detects new risk advisories, vendor announcements, and public news sources that may indicate a change in security posture. These findings are presented in a dedicated Monitoring tab within each vendor relationship. The tab refreshes hourly, so updates are always timely and relevant.
π Learn more
π Learn more
What kinds of risks can Continuous Monitoring detect?
Continuous Monitoring can detect when vendor certifications expire, when new compliance artifacts are published, or when important vendor-related news surfaces, such as reported breaches or regulatory findings. It provides early signals that a vendorβs security posture may have changed, helping you respond faster.
π Learn more
π Learn more
How does Continuous Monitoring notify me of changes?
Updates appear directly in the Monitoring tab for each vendor relationship. You can also configure custom alerts so stakeholders are notified when significant risks are detected. This ensures the right people are informed immediately, even outside of regular assessment cycles.
π Learn more
π Learn more
Does Continuous Monitoring replace assessments?
No. Continuous Monitoring complements assessments. Assessments remain the foundation of third-party risk management, providing a structured, validated view of vendor risk. Continuous Monitoring fills the gap between assessments by providing ongoing updates and early warnings, ensuring your view of vendor risk is always current.
π Learn more
π Learn more
When does VISO TRUST send notifications?
VISO TRUST generates notifications for assessment activity, vendor monitoring updates, comments, reminders, and deadlines. Vendors themselves only receive notifications if you specifically request VISO TRUST to reach out to them.
π Notifications & Alerts
π Notifications & Alerts