Business Cases and Controls
Vendor Intake Questionnaire
Overview
The intake questionnaire is completed when a new vendor relationship is created and can be
updated as the relationship evolves. It serves two purposes:
- Define the relationship's context — by selecting which business cases apply, you
describe how your organization engages with the vendor and what risks are introduced - Determine controls in scope — selected business cases automatically determine which
security controls are relevant for assessment
The intake questionnaire has two steps:
- Business Cases — select which engagement types apply to this vendor
- Data Classification — identify which types of data are shared with or processed by
this vendor
How Context Works
In VISO TRUST, "context" refers to the set of business cases selected for a relationship.
Context defines the attack surface — the combination of exposures the vendor introduces to
your organization. Each relationship's context drives which controls are assessed and how
inherent risk is calculated.
Context can be set manually or predicted automatically using AI. When you create a
relationship, the Predict relationship context button uses the vendor's name, website,
industry, and the business purpose you enter to suggest which business cases apply. The
prediction includes an explanation you can review before accepting. You can accept the
suggestion as-is, adjust it, or skip prediction and select business cases manually.
Context can also be updated at any time after a relationship is created. VISO TRUST will
flag when context may need attention as a relationship evolves.
Business Cases
Business cases are the intake questions that define how your organization engages with a
vendor. Select all that apply — there is no required order, and every combination is valid.
Each selected business case adds its relevant security control domains to the controls in
scope for assessment.
Data Shared
formerly: Data Transfer
Will [vendor] transmit, store, or process your organization's data on systems they own
or control?
Applies when a third party transmits, stores, or processes your organization's data on
systems they own or control. Examples include cloud-hosted data pipelines, payment
processors handling transaction data, or outsourced analytics platforms operating on your
datasets.
Controls added: A broad set of controls across data protection, access management,
security operations, resilience, personnel security, and governance.
Software/Hardware Supply
formerly: Technology Provider, Software/Hardware Transfer
Will [vendor] independently develop or supply computer software or hardware for use by
your organization or your customers?
Applies when a third party develops or supplies technology products used by your
organization or your customers. Examples include commercial software, SaaS platforms,
PaaS/IaaS infrastructure, hardware appliances, firmware, or embedded components.
Controls added: Controls related to technology infrastructure, operations, personnel
security, secure development practices, and product security.
Personal Data Privacy
formerly: Privacy
Will [vendor] process, store, or access personal or sensitive personal data on behalf
of your organization or its customers?
Applies when a third party processes, stores, or accesses personal or sensitive personal
data on your behalf. Examples include handling employee PII, processing customer personal
data, managing health records, or any activity involving data subject to privacy
regulations such as GDPR, CCPA/CPRA, or HIPAA.
Controls added: Controls related to privacy governance, privacy compliance, and the
handling of regulated personal information.
Network Connected
formerly: Network Integration, Network Connection
Will [vendor]'s network be directly connected to your organization's network?
Applies when your organization's network is directly connected to a third party's network.
Examples include site-to-site VPNs, dedicated point-to-point circuits, AWS Direct Connect,
or Azure ExpressRoute.
Note: Standard API integrations are covered under Data Shared. Network Connected
applies only to persistent network-layer connectivity such as VPNs or dedicated circuits.
Controls added: Controls related to access control, network security, and geographic
considerations in interconnected environments.
AI Systems
formerly: Artificial Intelligence (AI)
Will [vendor] develop, deploy, or integrate AI or machine learning systems that may
affect your organization's products, operations, customers, or data?
Applies when a third party develops, deploys, or integrates AI or machine learning systems
that may affect your products, operations, customers, or data. Examples include LLMs and
generative AI tools, automated decision-making models, AI-powered analytics, computer
vision systems, or inference APIs.
Controls added: Controls related to AI governance, model oversight, and responsible use
of AI systems, including compliance with regulations such as the EU AI Act.
Data Stored
formerly: Third-Party Data Hosting, Data Storage
Will your organization's data or equipment containing your data be stored at the
vendor's facility?
Applies when a third party physically hosts your organization's data or equipment
containing your data, without having logical access to it. Examples include data center
colocation, offsite tape storage, or managed facility hosting where the vendor cannot
access the data itself.
Note: Cloud-hosted SaaS solutions are covered under Data Shared. Data Stored applies
only to physical-only scenarios where the vendor has no logical access to the data.
Controls added: Controls related to physical security, personnel security, and endpoint
protection.
Personnel Access
formerly: Vendor Logical Access, Personnel Data Access
Will vendor personnel require access to your organization's computers, networks, or
information systems?
Applies when third-party personnel require logical access to your organization's systems.
Examples include vendor staff with VPN credentials, contractors using internal tools, or
managed service providers administering your systems.
Note: For SaaS providers, vendor personnel access is already covered under Data
Shared.
Controls added: Controls related to personnel security and security awareness.
On-Site Services
formerly: On-Site Physical Access, Physical Access
Will the vendor access your organization's facilities that contain computer systems or
IT resources?
Applies when third-party personnel will physically enter your facilities that house IT
infrastructure or systems. Examples include access to server rooms, telecom closets, work
areas with networked equipment, or data center floors.
Controls added: Controls related to personnel security.
Controls in Scope and Smart Scoping
The Controls in Scope panel updates in real time as you select business cases. Each
business case maps to a set of security control domains — selecting a business case adds
those domains to the assessment scope automatically.
Smart Scoping
Smart Scoping is enabled by default. When Smart Scoping is on, controls in scope are
determined automatically based on your selected business cases. The control list is
read-only and reflects the combined coverage of all selected business cases — no manual
input is needed.
Organizations using a custom control framework can turn Smart Scoping off to manually
select which control domains are in scope. When Smart Scoping is off, checkboxes appear
for each control domain and you can build a custom scope. A Revert to suggested scope
button is available at any time to return to the automatically suggested set.
Smart Scoping is available to organizations with a custom control framework enabled.
Contact your VISO TRUST administrator if you are unsure whether this applies to your
organization.
Data Classification
After completing the intake questionnaire, the next step is Data Classification. Here you
identify which types of data your organization shares with or entrusts to the vendor.
Data types are organized into two categories:
- Organization data types — data your organization owns, such as financial records,
intellectual property, or internal system data - Customer data types — data belonging to your customers or partners that the vendor
processes or handles on your behalf, such as customer PII, payment card data, or health
records
Each data type displays a sensitivity level — Critical, Elevated, Moderate, Minimal,
or None — reflecting the potential impact of exposure. Data types are sorted from highest
to lowest sensitivity to help you prioritize your selections.
The combination of selected data types contributes to the relationship's inherent risk
score, visible in the top right of the Data Classification section. Higher-sensitivity data
types increase inherent risk and may influence assessment depth and priority.
Data types are configured in Settings → Your Framework → Data Classification. Your
organization can enable, disable, or create custom data types to reflect your specific
data environment.
FAQ
Do API integrations count as Network Connected?
No. Standard API integrations are covered under Data Shared. Network Connected applies
only to persistent network-layer connectivity such as VPNs or dedicated circuits.
Does Personnel Access include SaaS support staff?
No. For SaaS providers, vendor support staff access is already captured under Data Shared.
Does Data Stored apply to cloud-hosted SaaS providers?
No. Cloud-hosted SaaS solutions are covered under Data Shared. Data Stored applies only
to physical hosting scenarios where the vendor has no logical access to the data.
Can I select more than one business case?
Yes. Select all that apply. Each selected business case adds its relevant controls to the
scope. There is no required sequence.
Can VISO TRUST suggest business cases for me?
Yes. Click Predict relationship context in the intake questionnaire. VISO TRUST will
analyze the vendor's details and the business purpose you entered and suggest which
business cases apply, with an explanation. You can accept, adjust, or ignore the
suggestion.
What if I need to customize the controls in scope?
If your organization uses a custom control framework, turn off Smart Scoping to manually
select control domains. You can revert to the suggested scope at any time.
Can context be updated after a relationship is created?
Yes. Context can be updated at any time from the relationship's intake questionnaire tab.
VISO TRUST will flag when context may need review as a relationship evolves.
