Skip to main content
🎉 Check out our latest April Release 🎉 Here

Search

Welcome to Whistic Support

Vendor Summary

  • Updated

Table of Contents

Overview

Prerequisites

Generating a Vendor Summary

Tools Available to Help Review a Vendor Summary

Finalizing Your Review of A Vendor Summary

Bulk Actions for Vendor Summary

Scoring the Vendor Summary

Reporting

Additional Resources

Do you have endless security policy documents to review? Whistic has got you covered with the next step in Automated Assessments!

Vendor Summary is a new AI-powered feature that will quickly identify and review a vendor’s compliance or non-compliance with various security controls, using all available sources of evidence provided by the vendor. 

*If you want access to a feature not currently enabled or would like to increase your allotment, please contact your Whistic Customer Success Manager or reach out to cs@whistic.com

Overview

  • See the overall state of the vendor’s security posture ‘at a glance’. 
  • Drill in to find details related to the most common security risks without manually searching through hundreds of pages of security policy documentation.
  • Use the questionnaire that works best for your organization, or leverage our recommended control framework.
    • Use your own custom questionnaire to generate a summary.
  • Instead of waiting for a vendor to answer your questionnaire, find answers using the vendor’s existing documentation or other sources of information they have provided. 
  • Generate a final report with findings based on the Vendor Summary and other Assessment activities that can be shared internally or with the Vendor.

Prerequisites

  • Open a Vendor.
  • Ensure that Smart Search is Enabled.

Tip: Click Check Processing Status next to the Vendor Smart Search bar to see whether all the available documents and questionnaires are ready to be searched by Whistic AI.
(This process can take a few minutes if there are a lot of sources available.)

  • If you don't see a Vendor Search bar, the Vendor has not been enabled for AI yet.
  • Click the Enable Smart Search button near the upper right-hand corner of the Vendor Details page, or enable multiple Vendors at once from the Vendor Catalog page.

On the Vendor Details page: (below the vendor information header)

Screenshot 2024-10-07 at 11.11.15 AM.png

On the Vendor Catalog: 

(You need to select one or more vendors for this option to be enabled.)

Generating a Vendor Summary

1. To generate a Vendor Summary you will first locate the vendor in the Vendors tab and open the vendor details. You should then see the Overview tab by default. You will start by clicking on the ‘Start Assessment’ button:

2. On the next page you will see the option to ‘Use Existing Sources and/or Request New Sources’. Here you can choose Option 1 to assess using existing information you already have for the vendor, or you have the option to upload. Otherwise, you can select from Option 2 and request new sources. You can select from questionnaire(s) or document(s):

3. Next, after the vendor returns the assessment/document, you can choose the “Create Vendor Summary” button to start the process:

4. On the next page you will see the option to create a Vendor Summary by selecting your preferred framework, hit ‘Done’, then ‘Create Now’.

NOTE: When the Vendor Summary is complete you will receive a 'bell' notification alert.

 

PRO TIP: The questions on the Whistic Vendor Summary framework were written so AI can return Yes / No answers, making it easier to determine vendor compliance. Using this framework may require less manual review by you after the answers are returned.


Things to know:

  • Vendor Summary returns answers to a set of questions about the vendor’s security controls all at once.
  • It provides answers to Yes/No questions, single or multi-select multiple-choice questions, and open-ended questions, and will show relevant documents if requested in the questionnaire(eg. SOC 2 reports). 
  • The security controls are based on industry standards.
  • Whistic AI bases its answers on all available Sources that the Vendor has shared with you, which might include previous questionnaire responses, documents, Profile content, etc.

You can view the completed vendor summary by going to your Vendor Summary tab OR by clicking on View Summary in the Assessment Package:Screenshot 2024-10-07 at 11.15.52 AM.png

OR:

 

IMPORTANT NOTES:

AI will set the compliance for the following question types:

    • Yes/No
    • Multiple Choice
    • Multiple Answer 

So we suggest manually setting compliance for:

  • Open-Ended/Text Answers
  • File Upload

They will be labeled "Needs Review" so you can easily spot them.

To eliminate any manual steps, we suggest using our Recommended Whistic Vendor Summary OR choosing a questionnaire with mainly Yes/No, Multiple Choice, Multiple Answer.

Screen Shot 2024-07-26 at 12.18.36 PM.png

Tip: If your vendor provided a previous questionnaire response in spreadsheet format, we recommend uploading it to the Vendor Document Repository. This ensures that when you run the Vendor Summary report, those results will be used to populate the report. 

Tools Available to Help Review a Vendor Summary

The following tools are available to help with the review process:

  • Header
  • Filters and Edit Control Details

Header

Screenshot 2024-10-07 at 11.45.31 AM.png

  • Compliance: This is an indicator of overall compliance based on the number of answers that came back compliant in the report. The pill color reflects the compliance level according to the legend on the right and the ranges below:
    • less than 50% - red pill 
    • 50-80% - yellow pill 
    • above 80% - green pill

Note that the compliance percentage will adjust as the analyst reviews questions and can be used to assess the overall risk a vendor might represent at that moment.

  • Unknown: This is the number of questions AI could not answer. This tells you the number of questions that are likely to go back to the vendor. 
  • Status: At the top right-hand side of the header, there's a status pill that will remain In Review until the analyst has manually updated the assessment status. 

Screenshot 2024-10-07 at 11.19.07 AM.png

Acceptable Compliance 

  • New compliance type for informational questions
  • Allows reviewers to mark questions like "What is your company name?" as "Acceptable"
  • These questions won't be scored as Compliant or Not Compliant in future assessments

Filters and Edit Control Details

  • New Filtering Capabilities
    • Column-specific filters for targeted search
    • Cumulative filtering (filters work together)
    • Different filter types based on content (drop-downs for compliance, text search for questions)
    • Filter by ID, Control, Compliance status, and Confidence level
  • Filters (located above the Vendor Summary) - Filter by Compliance, Flagged vs Not Flagged, Vendor Answered vs Unknowns, Reviewed, etc. 
  • Edit Control Details - Click on each control area to see the questions and review answers, and click on any question to display the Edit Control Details. Here you can:  
    • Override the Answer or the Compliance - If the AI answer doesn't seem correct, manually override the answer based on information in the sources  
      • Note that if you change the question answer or add a comment, the person who made the change and the date it happened is added to the question history (small subtitle below the boxes)
    • Review Status - Mark the question as Flagged for follow-up or Reviewed
    • Create Issue - If you need to follow up with the vendor on that question or simply want to monitor something over time, you can create an issue. It will go to the Issues to be tracked.  
    • Comment - Leave a comment regarding your review
    • Sources - View the Sources AI used to answer the question. Whistic will automatically provide an Answer Explanation to give you additional details to back up the answer. 

Screenshot 2024-10-07 at 12.01.38 PM.png

  •  
  • Send Questions to Vendor (located under the 3 dot action menu) - send follow-up questions to the vendor to get answers for the “Unknowns” or other details Whistic AI couldn't answer based on the available sources.
    You will receive a bell notification alert when new responses from vendors arrive.
  • Retry Errors & Unknows (located under the 3 dot action menu) - If you have added a document or have more information for AI to use, running this will attempt to find answers for questions that previously generated an error (very uncommon) or returned an Unknown answer. Using this button will not use up an additional Vendor Summary license.
    Screenshot 2024-10-07 at 11.35.24 AM.png

 

Bulk Actions for Vendor Summary

The Bulk Actions menu allows you to perform actions on multiple questions simultaneously within your Vendor Summary, saving you clicks and time.

  1. Select multiple questions by checking the boxes next to each question in your Vendor Summary.
  2. As soon as you select one or more questions, a new bulk action menu appears at the top of the screen:Screenshot 2025-05-20 at 19.36.57.png
  3. The menu displays the number of selected questions (e.g., "2 Selected") and provides options for what you can do with these questions:
    • Update Status: Apply a status change to all selected questions at once
    • Override Compliance: Change compliance status for multiple questions simultaneously
    • Create Issues: Generate issues for multiple questions in one action
    • Send Question(s) Now: Send selected questions to the vendor
    • Preview Question(s): Preview how the questions will appear to the vendor
  4. Alternatively, you can access these options from the 3-dot menu by selecting "Manage Selected"

Scoring the Vendor Summary

The system automatically calculates scores based on compliance responses:

  • Compliant answers contribute positively to the score
  • Non-compliant answers reduce the score
  • "Acceptable" answers are included in scoring to ensure fair vendor comparisons
  • Non-applicable (N/A) answers don't impact the score

The main vendor score, shown on the Vendor Detail page, will be an average of all the scores in the most recent Assessment.

  • For example - If, within the same Assessment, there is a questionnaire scored at 650 and a Vendor summary scored at 850, the score on the Vendor Detail page will be 750.

Note: Only questionnaire-based responses are scored. Document uploads and file attachments don't contribute to the numerical score.

Finalizing Your Review of A Vendor Summary

At the top of the Vendor Summary table, click Finish Review to finish an assessment based on the Vendor Summary. 

  • This allows you to add an overall comment for the summary and to change the status of the review (Approved, Denied, Approved with Conditions, etc.).
  • A copy of the Vendor Summary is added in the Assessment area of the page.
  • You can Generate New AI Vendor Summary (located under the 3 dot action menu) while keeping a record of older reviews. 
  • If you want to refresh the Summary (without saving previous results), click Generate New AI Summary. (If you want to save previous results, click Review Vendor Summary first.)
  • You can view or export a Vendor Summary Report after you change the status of the assessment and provide a comment. This option also allows you to add the summary directly to the vendor's list of documents.

 

 

  • By selecting "Export Report" you can generate a customizable PDF file with the Vendor's consolidated information, while by choosing "Export Excel" you can download a XLSX file with added sections such as Smart Search Answers and Explanations, AI Confidence Level and Sources Used.

 

Reporting

Go to "Reporting" > Show "Vendor Summaries" > 

You can create Vendor Summary reports based on:

  • Created date 
  • Questionnaire name
  • Questionnaire version
  • Vendor Summary status 
  • Vendor domain 
  • Vendor name

Screenshot 2024-10-07 at 3.54.40 PM.png

 

Additional Resources

Smart Search for Vendor Details

Enable Smart Search for Vendors

Tips for Building a Custom Questionnaire to Use with Vendor Summary