Assessment Phases
Assessment Phases
1. Overview & Purpose
The VISO TRUST assessment lifecycle moves through distinct phases, from initial creation to completion. Understanding each phase enables you to monitor assessment status effectively and take appropriate actions at every stage.
2. Understanding Assessment Phases
Phase | Description | When does this happen | Possible user actions | Notes |
Not assessed | The vendor has not been previously assessed, and there is no active assessment in progress | A vendor is newly added without a website URL No assessment update has been initiated | Update Relationship Context Start a new assessment | |
Started | A collection request has been sent to the vendor, but the vendor has not opened the request link | During vendor-involved assessments after a request is sent | Proceed with available data (moves into next phase) Close request (cancels the assessment) Upload artifacts (if you would like to provide them in addition to, or instead of, the vendor | |
Collecting information | The vendor has opened the request link and started submitting information | After the vendor engages with the collection portal | Proceed with available data (moves into next phase) Close request (cancels the assessment) | The assessment may re-enter this phase several times, for example, if follow up is sent |
Review started (on Relationship Details Page called “Processing + Review) | VISO TRUST begins reviewing submitted materials using AI and, when applicable, an auditor | After questionnaire responses or artifacts are submitted During instant or public-search assessments | Skip auditor review (moves into next phase) Close request (cancels the assessment) | During instant assessments and public search assessments, the assessment phase may skip directly to “Processing + Review” |
Follow-up recommended (on Relationship Details Page called Review Completed - Review follow up) | The review is complete, but additional information is needed | When missing or unclear controls are identified | Send follow-up questionnaire Skip follow-up and complete assessment | After follow-up is sent, the assessment moves back to collecting information |
Completed | The assessment review is finalized, and findings are documented | All submitted information has been reviewed Follow-up is complete, skipped, or not required | Review risk Accept Risk Request Remediation |
3. Common assessment flows:
Instant assessment
Instant assessments happen automatically when a new vendor relationship is created (given that the vendor’s website is provided).
- Review started (also referred to as "Processing & review” on the relationship page)
- Instant assessments automatically scan for public artifacts and compliance attestations and review them using AI
- Completed
- The instant assessment is complete using publicly available information
- The assessment summary is generated using available information on the relationship.
- Users can proceed with risk acceptance or remediation, or start a full assessment update
Uploads artifacts
When a client uploads artifacts directly by clicking “Add information” or “Upload artifacts”, and the vendor is not involved.
- Review Started (also referred to as "Processing & review” on the relationship page)
- Artifact analysis begins immediately
- The analysis method is defined by the relationship default setting (either AI or AI + Auditor)
- Completed
- The artifacts were successfully analyzed
- The assessment summary was updated using available information on the relationship
- Users can proceed with risk acceptance or remediation
Vendor collection request (in which control gaps are identified)
When a client requests information from the vendor directly, and control gaps are identified.
- Started
- The collection portal link has been emailed to the vendor, and the vendor has not yet opened it.
- Collecting information
(i) The vendor has opened the collection portal link and begun uploading artifacts or providing questionnaire responses. - Review started (also referred to as "Processing & review” on the relationship page)
(i) The vendor has certified that the information is accurate and submitted their assessment
(ii) Artifact analysis begins immediately
(iii) The analysis method is defined by the relationship default setting (either AI or AI + Auditor) - Follow up recommended (on a relationship, it appears as “Review Completed” with “Review follow up” button beneath)
(i) VISO TRUST has finished reviewing the assessment, and there are gaps identified that may lower the risk of the relationship - If follow up was sent, the assessment phase returns to Collecting information
(i) Further information can be found on the relationship, including if it was
1) Manual follow-up sent
2) Automatic follow-up sent (if automation was set up before the assessment based on a risk threshold) - If follow up was submitted, the assessment phase returns to Review started
(i) Questionnaire responses are being reviewed and processed - Completed
(i) All provided information was successfully analyzed
(ii) The assessment summary was updated using available information on the relationship.
(iii) Users can proceed with risk acceptance or remediation
Vendor collection request (in which no control gaps are identified)
When a client requests information from the vendor directly, and the VISO TRUST does not find control gaps (demonstrating the straightforward path with no issues).
- Started
- The collection portal link has been emailed to the vendor, and the vendor has not yet opened it.
- Collecting information
- The vendor has opened the collection portal link and begun uploading artifacts or providing questionnaire responses.
- Review started (also referred to as "Processing & review” on relationship page)
- The vendor has certified that the information is accurate and submitted their assessment
- Artifact analysis begins immediately
- The analysis method is defined by the relationship default setting (either AI or AI + Auditor)
- Completed
- All provided information was successfully analyzed
- The assessment summary was updated using available information on the relationship.
- Users can proceed with risk acceptance or remediation
4. Notes
Users can upload artifacts during any assessment phase
- If there is no assessment update in progress, one will be started and move directly to the “Review started” phase
- If there is an assessment update in progress, the artifacts will be added to that assessment update
- If the assessment is in the Started or Collecting Information phase when artifacts are uploaded, it will remain in that phase until the vendor has also submitted their information
- If the assessment is in the Review started phase, it will stay in the Review started phase and new artifacts will be processed alongside any previously provided information
- If the assessment is in any phase after Review started (e.g., Follow up recommended), it will return to Review started and process the new artifacts.
- If the assessment is in the Complete phase, a new assessment will be started.
- Users can proceed forward during any assessment phase
- Assessment stages other than listed above-
- Expired
What it means: The vendor didn't respond by the deadline.
What happens: Automatically triggered when the deadline passes without vendor submission.
What you can do: Start a new assessment - Cancelled
What it means: You manually closed the assessment request.
What happens: You clicked 'Close Request' to stop the assessment.
What you can do: Start a new assessment - Remediation assessment
What it means: An assessment request sent to the vendor to address findings identified in the Recommendations section, or for any additional remediation request, by clicking "Review Risk".
What happens: Allows vendors to specifically submit artifacts to address identified gaps.
What you can do: Start a new assessment
- Expired
