Table of Contents
Summary
Do you need to gather material from a vendor in order to conduct a security assessment? We'll outline the steps below.
A few things to point at before getting started:
- Requests are issued through the Vendor Detail page
- Requests can consist of a Questionnaire and/or Document
- If a document request, you can offer alternatives options for the vendor to complete (in the form of a Questionnaire), if they don't have the document being requested
- A request can be sent to multiple vendor contacts. However, by default, each of the contacts will work on their own questionnaire, independent of the other requests
- While a request is outstanding, it can be reassigned by the requester or the recipient
- While a request is outstanding, it can be canceled by the requester
- Ideally, the vendor is expecting an assessment request. If not, it may help to reach out and inform the vendor that the assessment request will be facilitated through Whistic
- If the Vendor Status = Inactive, the Vendor is unable to access any assessment requests
- If an assessment is sent to a vendor in Inactive status, the old request will need to be cancelled and a new request will need to be sent once the status has been changed to Active.
- Is there an existing document that you'd like to review (without requesting through Whistic)? Go here for more.
Steps
1. Open the Vendors from the main menu
2. Select a Vendor to open the Vendor Details page
3. Under the Assessments section, select the button Start Assessment button.
3.1 Optional: If there is an available Profile in the Trust Catalog, Whistic will invite you to import that Profile rather than issue a new request.
4. Select Request Type. Choose from a Questionnaire and/or Document.
5. Select Request Recipient. Choose from existing vendor contacts or create a new one.
You can also CC additional contacts. Please note that the CC recipients will not be able to access or track progress on the assessment request.
7.1 Optional: Offer Acceptable Alternatives to the document. To do this, select the Allow Alternatives box and then select from a list of questionnaires that you will accept in lieu of the document.
8. Confirm and Send. Review the request details and send to the vendor contact
Once sent, the vendor contact will receive an email (example below) inviting them to open and complete the request in Whistic. Our Support Team is standing by to help with any questions. As long as the request is outstanding, they will receive regular reminders to complete the request.
Should the user not receive the email, no worries! You can grab the direct registration link to assist the user in registering and accessing the request all from Assessment Activity.
Here is how:
- Open the Vendor Record
- On the Overview tab, scroll down to Assessments
- Next to the line item of the request where it displays the recipient and questionnaire requested - click the Actions drop down
- Select Registration Link
- Copy that link and send it to the user via email for assistance
Document Request
Below is a comprehensive list of all documents that can be requested in Whistic:
- ISO 27701 Certification
- ISO 27017 Certification
- ISO 27018 Certification
- ISO 42001 Certification
- SOC 1 Report
- SOC 3 Report
- SOC 2 Bridge Letter
- SOC 2 Type 2 Report
- Certificate of Insurance
- Penetration Test Report/Letter of Engagement
- Information Security Policy and Procedures
- Privacy Policy
- FedRAMP Authorization
- HIPAA Certification
- PCI Certification/Self-Assessment Questionnaire (SAQ)
- HITRUST Certification
- Breach Attestation
- Cloud Hosting Security Tools and Services
- Cyber Liability Insurance (COI)
- Data Encryption Policy
- Data Flow Diagrams
- Business Continuity Plan and Test
- Disaster Recovery Plan and Test
- Incident Response Plan and Test
- Risk Management Policy and Process
- Security White Papers
- Software Bill of Materials
- Third-Party Risk Management Program
- Vulnerability Scan Results
FAQ
-
How come the Questionnaire I want to request is greyed out in the list of options?
- If the questionnaire is greyed out when attempting to select, this is due to that questionnaire already being sent out to a user within that vendor's organization. Should you wish to send the questionnaire to another user, cancel the existing request and send a new request to the user you wish.
-
How come I am receiving a "Something Went Wrong" error message when attempting to send a request to a vendor via Assessment Activity?
- This is likely due to an external contact not being listed in the vendor record. To confirm, go to the Contacts section and locate an external contact. If no external contact is listed, please add one and try again.