Like it or not, vendor risk assessments have become the status quo for doing business these days. Often times, that means being on both the sending and receiving end of these assessments. I cover the topic of Assessing Vendor Security Risks in another blog post, and we have a very strong solution for that, but more recently customers are asking about being able to manage inbound assessments in a similar fashion. I'll be the first to admit that this is not our sweet spot for SimpleRisk. There are a number of purpose-built tools designed to explicitly handle the mapping of inbound questions to pre-defined answers in order to expedite responding to security questionnaires and RFPs. That said, the SimpleRisk Risk Assessment Extra has some innate capabilities that can provide a suitable workaround to purchasing one of these complicated tools. I lay this process out in some simple steps, below:
STEP 1: Create an Assessment Template
The SimpleRisk Risk Assessment Extra provides the capability to assess across over 190 different security and privacy frameworks. To use this functionality, select "Assessments" from the menu at the top, followed by "Questionnaire Templates" from the menu at the left. Click the "Add" button on the top right and when the system prompts you if you would like to automatically generate a questionnaire template, select "Yes". This functionality leverages the ComplianceForge Secure Controls Framework (SCF) to generate questions that are either "Standard" (Yes/No/Not Applicable) or "Maturity" (a unique 0-5 security maturity level for each control). Common assessment templates for vendor risk assessments are the Shared Assessments SIG 2022 and CSA CCM v4, but it includes many others like ISO 27001 v2013, AICPA TSC 2017 (SOC2) and NIST CSF v1.1.
Here's an example of a small subset of the dynamically created questions for this SIG assessment:
STEP 2: Perform a Self-Assessment
Once a Questionnaire Template has been created, then you can select "Questionnaires" from the menu on the left and then "Add" to create a new questionnaire. At the bottom of the questionnaire, you can select the template that you want to use and the contact that you want to send it to. When you send it, the contact will receive a link to complete the online assessment. They will have the ability to upload relevant documentation, such as an Information Security Policy, when they submit the completed assessment.
STEP 3: Share the Assessment Results
Since our ultimate goal here is to share the results with the customer, we can add the customer as a new contact under the "Assessment Contacts" menu on the left.
From there, you can simply go to Questionnaire Results, select the completed assessment and share the results with the contact. They will receive a link to be able to view the results, included all generated risks, compliance or maturity items, and any documentation, through the online portal. They can forward or revisit that link at any time in the future.
STEP 4: Annual Re-Assessments
The best part is that this is an extremely repeatable process. If you want to re-assess against this framework the following year, there is no need to do it all over again. The system will prompt you if you want to pre-populate the new assessment with their previous answers. Now, all you have to do is review the prior assessment for changes and upload your new documentation. When you're ready, you simply share the new results with them.
Again, this is not intended to be a substitute for buying a purpose-built tool for responding to RFPs and security questionnaires, but rather a fairly solid workaround to be able to utilize existing SimpleRisk functionality in a very similar manner. If you'd like to try this out for yourself, you can request a free 30 day trial of SimpleRisk here.
