Follow-up questionnaires

Calyssa Nowviskie Updated by Calyssa Nowviskie

If controls are unvalidated or questions are unanswered after assessment review, you have the power to initiate a follow-up to gather more information directly from the vendor.

How to Configure Follow-Up Questionnaires

Follow-up questionnaires are only available for interactive assessments (assessments that involve direct vendor participation).
  1. Start an Interactive Assessment
    1. Select Start Assessment.
    2. Choose Designate a third-party contact to reach out to.
  2. Under Configure follow-up, select from the following options:
    1. Always ask before following up (Recommended): Review AI assessment results before deciding whether to follow up or close the assessment. We recommend this option because it gives you the power to choose when an assessment is complete, and faster (on average) overall assessment times.
    2. Conditional based on residual risk: Automatically initiate follow-up if residual risk meets or exceeds a specified score. For all other assessments, you’ll have the option to review the AI assessment results and decide to follow up or close the assessment.

Reviewing Follow-Up

If you selected Always ask before following up, once the VISO auditor has reviewed your assessment, you’ll have the option to review remaining controls.

Assessments awaiting follow up review will have the status “Review Started: Follow-up Recommended.” You can filter this status on the Relationship List Page, or see all assessments awaiting follow up on the Assessment List Page. 

  1. Review Follow-Up
    1. Go to the Assessments tab on the Relationship Details Page.
    2. Click the Review Follow-Up button above the assessment timeline.
  2. Review residual risk and missing controls
    1. View the current inherent and residual risk, any unvalidated controls, and unanswered supplemental questions.
  3. Send follow up questionnaire
    1. If you choose to follow up, the assessment status will change to Collecting Information, and the vendor will receive a short questionnaire targeting the identified gaps.
    2. The vendor will have 7 days to respond to the follow-up questionnaire request.
    3. VISO TRUST auditors will validate the response to the follow-up questionnaire and complete the assessment. Then, you will have the choice to proceed with Remediation or Risk Acceptance.
  4. Or choose to proceed without following up
    1. If follow-up is not needed, you may complete the assessment and proceed with Remediation or Risk Acceptance.

Frequently Asked Questions (FAQs)

What questions are included in a follow-up questionnaire?

  • Only questions that could not be answered with the provided artifacts are included, keeping questionnaires concise.

Can I change my follow-up configuration after starting an assessment?

  • Yes, until the auditor review is complete and the follow up is sent, you are able to change your follow-up configuration. Above the assessment timeline, click Edit follow-up to see configuration options.

How long does the vendor have to respond to a follow-up questionnaire request?

  • The vendor is given seven days to respond to the follow-up questionnaire.

What if my vendor does not respond to a follow-up questionnaire request?

  • If the vendor doesn’t respond within the seven-day period, the assessment will be marked complete. You can request remediation if necessary.

Are supplemental questions included in follow-up questionnaires?

What is the difference between follow-up questionnaires and remediation?

  • Follow-Up Questionnaires: Short questionnaires focused on collecting information about specific controls; the vendor has seven days to respond to potentially reduce residual risk.
  • Remediation Requests: Allows the vendor more time (duration specified by you) to gather additional artifacts or address security gaps. Learn more about remediation and risk review.

How did we do?

Supplemental Questionnaires

VISO TRUST Risk Assessment Process

Contact