Assessment Phases

Tanya Tandon Updated by Tanya Tandon

Assessment Phases

The VISO TRUST assessment lifecycle moves through distinct phases, from initial creation to completion. Understanding each phase enables you to monitor assessment status effectively and take appropriate actions at every stage.

Core Assessment Phases

Phase

Description

When does this happen

Possible actions

Not assessed

The vendor has not been previously assessed, and there is no active assessment in progress

A vendor is newly added without a website URL

No assessment update has been initiated

Start a new assessment

Started

A collection request has been sent to the vendor, but the vendor has not opened the request link

During vendor-involved assessments after a request is sent

Proceed with available data (moves into next phase)

Close request (cancels the assessment)

Upload artifacts (if you would like to provide them in addition to, or instead of, the vendor

Collecting information

The vendor has opened the request link and started submitting information

After the vendor engages with the collection portal

Proceed with available data (moves into next phase)

Close request (cancels the assessment)

Review started

VISO TRUST begins reviewing submitted materials using AI and, when applicable, an auditor

After questionnaire responses or artifacts are submitted

Skip auditor review (moves into next phase)

Close request (cancels the assessment)

Follow-up recommended

The review is complete, but additional information is needed

When missing or insufficient controls are identified

Send follow-up questionnaire

Skip follow-up and complete assessment

Completed

The assessment review is finalized, and findings are documented

All submitted information has been reviewed

Follow-up is complete, skipped, or not required

Review risk

Accept Risk

Request Remediation

Example assessment flows

Instant assessment

Instant assessments happen automatically when a new vendor relationship is created (given that the vendor’s website is provided).

  1. Researching vendor
    1. VISO TRUST automatically searches public sources for artifacts, compliance attestations, and risk advisories.
  2. AI processing
    1. Artifacts and compliance attestations discovered during the public search are being analyzed for risk-relevant information.
  3. Completed
    1. The instant assessment is complete using publicly available information
    2. The assessment summary is generated.
    3. Users can proceed with risk acceptance or remediation, or update the assessment with information from other sources.
Artifact upload

When a client uploads artifacts directly by clicking “Add information” or “Upload artifacts”, and the vendor is not involved.

  1. Artifact(s) uploaded
    1. Artifact analysis begins immediately
  2. AI processing or Processing + Review
    1. VISO TRUST is analyzing the artifacts for risk relevant information
    2. The analysis method is defined by the relationship default setting (either AI or AI + Auditor)
  3. Completed
    1. The artifacts were successfully analyzed
    2. The assessment summary was updated.
    3. Users can proceed with risk acceptance or remediation

Vendor collection request (in which control gaps are identified)

When a user requests information from the vendor directly, and control gaps are identified.

  1. Started
    1. The collection portal link has been emailed to the vendor, and the vendor has not yet opened it.
  2. Collecting information
    1. The vendor has opened the collection portal link and begun uploading artifacts or providing questionnaire responses.
  3. AI Processing or Processing + Review
    1. The vendor has certified that the information is accurate and submitted their assessment
    2. VISO TRUST is analyzing the artifacts for risk relevant information
    3. The analysis method is defined by the relationship default setting (either AI or AI + Auditor)
  4. Follow up recommended
    1. VISO TRUST has finished reviewing the assessment, and there are gaps identified that may lower the risk of the relationship
  5. Follow up sent (optional)
    1. The request for more information has been sent to the vendor.
  6. Additional AI Processing or Processing + Review
    1. The vendor has submitted their follow-up questionnaire, and it is being analyzed for risk-relevant information
  7. Follow up skipped (optional)
    1. The user chose not to proceed with sending the follow-up questionnaire to the vendor.
  8. Completed
    1. All provided information was successfully analyzed
    2. The assessment summary was updated using available information on the relationship.
    3. Users can proceed with risk acceptance or remediation

Vendor collection request (in which no control gaps are identified)

When a client requests information from the vendor directly, and the VISO TRUST does not find control gaps (demonstrating the straightforward path with no issues).

  1. Started
    1. The collection portal link has been emailed to the vendor, and the vendor has not yet opened it.
  2. Collecting information
    1. The vendor has opened the collection portal link and begun uploading artifacts or providing questionnaire responses.
  3. Review started (also referred to as "Processing & review” on relationship page)
    1. The vendor has certified that the information is accurate and submitted their assessment
    2. Artifact analysis begins immediately
    3. The analysis method is defined by the relationship default setting (either AI or AI + Auditor)
  4. Completed
    1. All provided information was successfully analyzed
    2. The assessment summary was updated using available information on the relationship.
    3. Users can proceed with risk acceptance or remediation

Notes

Users can upload artifacts during any assessment phase

  • If there is no assessment update in progress, one will be started and move directly to the “Review started” phase
  • If there is an assessment update in progress, the artifacts will be added to that assessment update
    • If the assessment is in the Started or Collecting Information phase when artifacts are uploaded, it will remain in that phase until the vendor has also submitted their information
    • If the assessment is in the Review started phase, it will stay in the Review started phase and new artifacts will be processed alongside any previously provided information
    • If the assessment is in any phase after Review started (e.g., Follow up recommended), it will return to Review started and process the new artifacts.
    • If the assessment is in the Complete phase, a new assessment will be started.
  • Users can proceed forward during any assessment phase
  • Assessment stages other than listed above
    • Expired
      What it means: The vendor didn't respond by the deadline.
      What happens: Automatically triggered when the deadline passes without vendor submission.
      What you can do: Start a new assessment
    • Cancelled
      What it means: You manually closed the assessment request.
      What happens: You clicked 'Close Request' to stop the assessment.
      What you can do: Start a new assessment

How did we do?

Auditor Review Summary

Contact