UpGuard's questionnaire builder helps you create custom security questionnaires that can be sent through the UpGuard platform. You can learn how to send a security questionnaire here.
You can start from scratch or use one of our growing library of questionnaires as a starting point and then adjust it to cater for your needs. Learn more about the questionnaire library here.
Managing your questionnaires through the UpGuard platform provides a number of benefits over traditional email/Excel based processes including: automatic risk identification, standardization, and in-built administration workflows. You can set deadlines, track the status of your questionnaires, and respond to questionnaires in one place.
The questionnaire builder supports six question types:
Sections: Sections are a simple tool to create a group with sub-questions inside. Use it to organise your questionnaire into chapters or to segregate questions by theme. Sections are also used to create the table of contents if you choose to include one.
Single-select questions: Allows respondents to choose a single option from a predefined set of mutually exclusive answers. These questions are great if you want to ask a simple question and raise a risk based on a respondent’s answer. A simple example would be a ‘yes’ or ‘no’ question.
Multi-select questions: Allows respondents to choose as many options as they wish from a predefined set of answers. For example, you may want to ask a respondent what security controls they have in place and then raise a risk for any controls they are missing.
Text questions: Give respondents a free-form text field to answer as they see fit. This is useful for situations where you want more detail or a qualitative response is required. For example, you may want to give respondents the option to provide additional information about their security program that you hadn’t asked about.
File uploads: Allows respondents to upload pdf, doc, docx, jpg, png, xlsx, csv, or pptx documents. Each document can be up to 10 MB.
Identified risks: Identified risks allow you to automatically raise a risk based on an answer to a question or multiple questions. To do this, you’ll need to add conditional visibility to the risk. If the identified risk has a potential compensating control, you can provide the respondent with the chance to provide additional information on how they mitigate it.
How to start from an existing template
To use one of our existing templates as the basis of your custom questionnaire, head over to the Questionnaire Library then click the duplicate icon. It's the two rectangles between the preview and edit icons. In the example below, I made a copy of the standard ISO 27001 questionnaire.
Once the questionnaire has been duplicated, you'll be dropped into the questionnaire builder prefilled with all the questions, risks, and conditional visibility logic that the original questionnaire uses. To learn how to use the builder, please see the section below on how to build a questionnaire from scratch.
How to build a questionnaire from scratch
To build a questionnaire from scratch, head over to the Questionnaire Library and click Create custom questionnaire in the top right corner of your screen.
Clicking Create custom questionnaire will bring up a modal that allows you to name the questionnaire. Try to pick a unique vendor appropriate name as you'll be using this to differentiate this questionnaires from others in the Questionnaire Library, and it is also shown to questionnaire respondents. Once you've chosen your name click Continue.
Clicking Continue will take you to an empty questionnaire builder. The first thing you need to do is enter a description for the questionnaire. This description is shown to questionnaire respondents and in the Questionnaire Library.
In addition, you can configure whether to include a table of contents.
Adding your first question
Now that you've completed your questionnaire introduction, it's time to create your first question. To create a question, click + below below the table of contents checkbox.
Clicking + will bring up a modal which lets you pick what question type you want to use and hovering over a specific question type will provide additional information about it.
In the example below, I've chosen to start with a section. Remember, sections are used to group questions together and provide the structure for the table of contents. They're also a convenient way to use conditional logic to make your questionnaire adapt based on provided answers, but we'll get to that later.
When creating a section, you need to add a title or description.
Now that we've added a section, we can choose whether we want to add a question to the current section (1) or whether we want to add a new question to the same level of the hierarchy as the section we just created (2).
In the example below, I've chosen to create a sub-question under the Security and Privacy section I just created.
Adding your first risk
Now that we've added our first section and sub-question, let's go through how to add an identified risk. Identified risks can be triggered based on an answer or answers to questions. In the example below, I'll be adding a risk if a respondent chooses option b. No, our security program is more limited.
Risks are categorized as follows:
Critical - Risks or vulnerabilities that place the business at immediate risk of data breaches.
High - Severe risks that should be addressed immediately to protect the business.
Medium - Unnecessary security risks that can lead to more serious vulnerabilities.
Low - Areas of improvement to reduce risk and improve the businesses’ cyber security rating.
To add a risk, click ! next to the relevant answer.
Clicking ! will bring up a modal that lets you associate a risk with the specified answer. In the example below, I've chosen to add a No security program finding.
You can also choose whether or not you want to provide the option for the respondent to provide compensating control information. In the example below, I've chosen to request compensating control information.
Once you're happy with your selection, click Done.
Clicking Done will take you back to the questionnaire editor with an identified risk question added underneath the previous question. As you can see, the risk will only show if 1 condition is met. In this example, if the respondent selects No, our security program is more limited.
You can always review what conditions need to be met by clicking on the text after Only show if or by clicking on the pencil icon.
You can also add risks as standalone questions, but you will need to configure the conditional visibility manually. To add a standalone risk, click + and then choose Identified Risk.
This will bring up the same modal as before, the key difference is once you save the risk you will need to set the conditional visibility by clicking Add conditional visibility.
Clicking Add conditional visibility will bring up the conditional visibility builder shown below.
To add the same conditional visibility as I had before I need to select the question, the operation, and answer and then click Done.
As you have likely guessed, you can use this conditional visibility builder to build complex logical operations and base visibility on the results of multiple answers.
Previewing your questionnaire
Now let's test our questionnaire to make sure what we've done makes sense. You can do this at any time by clicking Preview in the top right corner of your screen.
Clicking Preview opens up a new tab and shows what respondents will see, enabling you to easily test your questionnaire and any conditional logic you've built in.
As you can see from the example below, the identified risk is working as intended. It triggers when the respondent answers No, our security program is more limited and then asks for compensating control information.
Using conditional visibility for questions
Just as you can use conditional visibility for risks, you can do the same for questions.
In the questionnaire I'm building, I want to ask additional questions if the respondent chooses Yes, our security program covers all aspects of information security within the organization.
To do this, we'll need to create a new section, add conditional visibility, and then nest questions under the new section. In the example below, I've added a section titled Security and Program Details. Now it's time to add conditional visibility.
To add conditional visibility, click Add conditional visibility.
Clicking Add conditional visibility brings up the conditional visibility modal. In the example below, I've chosen to show the security and privacy program details if the answer to question 1.1. is Yes, our security program covers all aspects of information security within the organization. Once you're happy with your selection click Done.
Now let's test that conditional visibility is working as expected by heading back to the preview tab. Remember, we only want this section to appear if the respondent answers Yes, our security program covers all aspects of information security within the organization.
As you can see from the example below, the Security and Privacy Program Details section isn't currently visible.
But if choose Yes, our security program covers all aspects of information security within the organization. The section appears!
Conditional visibility means you can build smart questionnaires that only ask relevant questions. This leads to more thoughtful answers, quicker completion times, and a more accurate representation of the risk the vendor poses to your organization.
To bring this point home, let's look at a more complete questionnaire. In the example below, I've added additional questions under the Security and Privacy Program Details section. When a respondent first hits the questionnaire, they'll see one question.
However, if they answer Yes, our security program covers all aspects of information security within the organization, then section 1.2 Security and Privacy Program Details appears which contains additional questions.
If they answer No, our security program is more limited, then a risk will be raised and the respondent will be prompted to provide compensating control information.
And if they answer, Not applicable then the questionnaire asks no additional questions.
All in all, the questionnaire builder lets you create custom questionnaires that are as powerful as you want them to be. If you have any questions, feedback, or concerns please contact UpGuard support.