Security questionnaires
      Back to home
      1. UpGuard Knowledge Base
      2. UpGuard Vendor Risk
      3. Security questionnaires

      How to build a custom questionnaire

      Learn how you can build a custom questionnaire from a pre-existing template in Excel, from scratch, or by using one of our growing library of questionnaires as a starting point.

      Written by Abi Tyas Tunggal

      UpGuard's questionnaire builder helps you create custom security questionnaires that can be sent through the UpGuard platform. 

      To get started building a questionnaire in UpGuard, you can:

      1. Import a pre-existing questionnaire in .xlsx format
      2. Duplicate one of our default questionnaires from the questionnaire library then adjust it to cater to your needs
      3. Start from scratch with a blank questionnaire

      Managing your questionnaires through the UpGuard platform provides a number of benefits over traditional email/Excel-based processes including automatic risk identification, standardization, and in-built administration workflows. You can set deadlines, track the status of your questionnaires, and respond to questionnaires in one place.

      We recommend utilizing the default questionnaires in our questionnaire library, each of which has been designed by our experienced third-party risk analysts to align with the most commonly used frameworks and legislations. 

      Building a custom questionnaire involves not only the questions but each of the risks that need to be flagged as well, which is extremely time-consuming. Risks are one of the most important elements of questionnaires, read more about risks below.

      Question types

      The questionnaire builder supports seven question types:

      • Sections: Sections are a simple tool to create a group with sub-questions inside. Use it to organise your questionnaire into chapters or to segregate questions by theme. Sub-sections can also be created within an overarching section, and are also used to create the table of contents if you choose to include one. The title and description will be displayed to the vendor.
      • Single-select questions: Allows respondents to choose a single option from a predefined set of mutually exclusive answers. These questions are great if you want to ask a simple question and raise a risk based on a respondent’s answer. A simple example would be a ‘yes’ or ‘no’ question.
      • Multi-select questions: Allows respondents to choose as many options as they wish from a predefined set of answers. For example, you may want to ask a respondent what security controls they have in place and then raise a risk for any controls they are missing.
      • Free text questions: Give respondents a free-form text field to answer as they see fit. This is useful for situations where you want more detail or a qualitative response is required. For example, you may want to give respondents the option to provide additional information about their security program that you hadn’t asked about.
      • File uploads: Allows respondents to upload pdf, doc, docx, jpg, png, xlsx, csv, or pptx documents. Each document can be up to 10 MB.
      • Identified risks: Identified risks allow you to automatically raise a risk based on an answer to a question or multiple questions. To do this, you’ll need to add conditional visibility to the risk. If the identified risk has a potential compensating control, you can provide the respondent with the chance to provide additional information on how they mitigate it.
      • Info: A text box to provide information to the respondent in the questionnaire.  Useful to provide context or reasoning for a set of questions. 

      Risks

      Risks are one of the most important parts of a questionnaire in UpGuard, and should be added to all response options of single-select or multi-select questions that would indicate that there is a risk.  Risks identified in a questionnaire will appear in the vendor's risk profile and any risk assessments carried out on the vendor, are used to request remediation by the vendor if needed, and are used for scoring the questionnaire (if there are no risks, the questionnaire will have no score).

      The risk categories are as follows:

      Critical - Immediate, severe threats that can lead to significant data breaches, financial loss, regulatory penalties, or operational shutdowns. For example the vendor does not have a formal incident response plan or disaster recovery process in place.

      High - Major threats that could cause serious disruptions or data exposure if exploited but might not be immediately catastrophic. For example the vendor does not enforce multi-factor authentication for administrative access.

      Medium - Moderate issues that pose potential risks but are less likely to be exploited or cause immediate harm.  For example the vendor has not conducted a third-party security audit or penetration test in the past 12 months.

      Low - Minor risks with a low chance of exploitation and minimal impact on business operations. For example the third party handles non-sensitive data and has minor security gaps like missing security awareness training.

      info Info - Non-risk findings or observations that don’t pose any security threats but may inform future assessments.  Info risks have no impact on questionnaire score. For example the vendor uses methods that do not directly indicate a risk pending on further questioning around policy, or the vendor states that the question is not applicable to them.

       

      Importing a pre-existing questionnaire or template

      Importing a questionnaire into our custom questionnaire builder is really as simple as just uploading the Excel spreadsheet.  With the help of AI, your questionnaire doesn't need to be in any specific format as the importer will automatically identify your question and answer columns, and automatically detect any section headings whether they are spaced throughout the one sheet, or spread across multiple sheets.  

      1. To import a pre-existing questionnaire or template from an Excel spreadsheet, head to the Questionnaire Library then click on the 'Create custom questionnaire' button to see the two options, before selecting 'Import a questionnaire'.
      2. Drag and drop, or choose your excel file for upload.  Note that .xlsx files only are accepted.
      3. Allow the questionnaire importer some time to determine which columns are which and to find your section headings automatically.  Please be patient as this can take up to 30 seconds.
      4. Review the assigned columns and rows, and make any changes that are required, making sure to review all sheets that have been uploaded.  


        At this step, be sure to review all sheets before proceeding with the import, as mistakes may require you to start the process again.  For each sheet, make sure to configure:
        1. Question column - the column containing all of the questions
        2. Answer or input column - the column containing answers or input options (only relevant where drop-downs have been used).  This column will also determine the type of question. If the cells are blank and meant for free text, the question will be imported as a free-text question. If your spreadsheet uses drop-downs in the answer cells, the corresponding question will be imported as a single-select. Any free text will be ignored.
        3. Heading column - The column that contains any headings.  Should the heading be in a merged cell across multiple columns, choose the first column.
        4. Starting Row - The row that contains the first question on the sheet.
        5. Non-question rows - any rows that should be ignored when importing, separated by a comma.
        6. Heading rows - any rows that contain a section heading, separated by a comma.
      5. When all is configured and ready to import, hit the import button in the bottom right hand corner of the window.
      6. Review the questionnaire to be sure that the questions and sections have been imported correctly, then proceed to edit and fine-tune your questionnaire.  For steps on editing your custom questionnaire, please refer to the section below titled 'Building your custom questionnaire'.

      How to start from an existing template

      To use one of our existing templates as the basis of your custom questionnaire, head over to the Questionnaire Library then click the duplicate icon as shown below. 


      Once the questionnaire has been duplicated, you'll be dropped into the questionnaire builder prefilled with all the questions, risks, and conditional visibility logic that the original questionnaire uses. The following section walks you through how to edit your custom questionnaire.

      Building your custom questionnaire

      1. Head over to the Questionnaire Library and click 'Create custom questionnaire' in the top right corner of your screen, then select 'Create a new questionnaire' to proceed to the questionnaire builder.
      2. Enter a title for your new questionnaire, and update the description. This description is shown to questionnaire respondents and in the Questionnaire Library. A few things to note here:
        • By default, 'show table of contents' will be selected, but this can be de-selected.
        • The questionnaire will automatically number your questions, however, if you'd like to apply your own alphanumeric characters you can select 'Custom question numbers'.
      3. Add your sections and questions by clicking on the + icon in the questionnaire.  This will reveal the list of question types detailed earlier in this article for you to choose from, and by hovering over each one you'll be provided some additional information about it.
      4. Add any sub-sections or sub-questions using the indented + icon.  You can tell that you're using the right one when the numbering shows decimals. Using the non-indented + icon will continue in the main part of the questionnaire.  It's easiest to create all of your sections and sub sections first, before going on to add your questions.
      5. Add risks to the response options of your questions by clicking on the information icon next to the response that should flag the risk.  
        This will bring up the window for you to add the details to your risk:

        Which when completed, will show underneath the question:

        From there you can review the conditions for the risk by clicking on the pen icon, where you'll be able to add or remove conditions as well.
      6. Add conditional visibility to any questions, sections, or risks that should only be shown based on an answer to a previous question by clicking on the 'Add conditional visibility' button below your question/section/risks.

        To customise the conditions for visibility choose the question, the condition, and the specific response in order to add the conditional visibility to your question.  You can add multiple conditions if needed.  As an example, you only want to ask your vendor to upload their Information Security Policy if they have previously responded 'yes' to having an Information Security Policy, otherwise the upload request is redundant.


        Conditional visibility can be applied to any element of the questionnaire, including entire sections.  For example you may have 20 questions you wish to ask your vendor about their usage and implementation of artificial intelligence, but all of these questions could be redundant if the vendor does not use artificial intelligence at all.  In the example below, my section '3. Artificial Intelligence', will be displayed by default unless the vendor replies 'No' to the question 'Does your organization use AI?'.
         
        Conditional visibility is recommended to be used in order to streamline the response process for your vendors by removing unnecessary or redundant questions. 
      7. Double-check that questions have been imported as the right type, and change them if that's not the case, by clicking on the change question type icon.  In the example below, I'm switching a question to be multi-select instead of single-select.

      Previewing your questionnaire

      Previewing your questionnaire allows you to see how the questionnaire will appear to your vendor when they are responding (note that not all functionality for responding to a questionnaire is active when previewing). You can preview your questionnaire by clicking on the 'Preview' button as shown below, which will open the preview in a new tab so as to not impact your editing.

      The preview is perfect for testing that your questionnaire is displaying in that way that you need it to, specifically with the risks and conditional functionality.