Security Questionnaires
      Back to home
      1. UpGuard Knowledge Base
      2. UpGuard Vendor Risk
      3. Security Questionnaires

      Edit and build security questionnaires

      Before you start 

      UpGuard’s wide range of default questionnaires was created by cyber-security experts and are aligned with the most commonly used frameworks and regulations. To preserve their functionality and alignment with security standards, default questionnaires can only be edited in two ways: renaming or questions can be marked as required. 

      All other changes (including rewriting questions, changing their order, deleting or adding questions) are only possible on custom questionnaires.

      Tip: Create a custom questionnaire by duplicating a default questionnaire and then editing from there.

      Questionnaire elements and rules

      Elements

      Use elements to organize your custom questionnaire, and add questions and fields.

      Element Description
      Section Groups related questions together. You can add a description for each section and create subsections. Sections and subsections are visible on the table of contents (if you choose to make that visible). 

      Apply conditional visibility to hide or show all questions in a section (and its subsections).  
      Single-select question Multiple choice questions, respondents choose a single answer option from a predefined set of options.

      Optional: let people add additional information in a free-text field. 
      Multi-select question Multiple choice questions, respondents can select multiple answer options from a pre-defined list. 

      Optional: let people add additional information in a free-text field. 
      Text question Questions with a free text answer field. 
      File upload Fields where respondents can upload pdf, doc, docx, jpg, png, xlsx, csv, or pptx documents. Each document can be up to 10 MB.

      Uploaded files are automatically added to the vendor’s Additional Evidence section. 
      Info Text boxes for the questionnaire creator to provide helpful information, context, or instructions for the respondent. 

      Rules

      Use rules to add logic or requirements to your questionnaire.

      Conditional visibility By default, all elements are visible, but you can use conditional visibility to hide specific elements or risks until specific criteria are met.  

      Ex: Question 1 is a yes/no question. Question 2 has conditional visibility applied so that it only appears if the respondent selects ‘yes’ on question 1. 
      Identified risk Creates risks (you designate the severity) upon the questionnaires submittal. Use conditional visibility to designate what triggers a risk

      If a risk is triggered at submittal, the questionnaire’s rating and the vendor’s overall rating are impacted. 
      Required questions Mark any question as required. Required questions are designated by an asterisk and must be answered before a respondent can submit the questionnaire. 

      Add an element or rule

      The Before you start section details what elements and rules can be added based on questionnaire type. 

      1. Click Vendor Risk from UpGuard’s left-hand panel.
      2. Click Questionnaire Library from the left-hand Vendor Risk panel.
      3. Click the pencil icon next to the questionnaire you want to edit or build out.
      4. Add elements or rules (see table below).
      5. Click Save and exit, Publish, or Confirm and Save.
      Element or rule How to add
       Section  Click a + icon and select Section
      Single-select question Click a + icon and select Single-select question
       Multi-select question Click a + icon and select Multi-select question
       Text question Click a + icon and select Text question
      File upload Click a + icon and select File upload
      Identified risk Click a + icon and select Identified risk 
      Details in the Add a risk section. 
      Info Click a + icon and select Info
      Conditional visibility - Click + Add conditional visibility under the element you want to make conditionally visible. 
      - Use the modal to set the desired logic. 
      - Click Done
      Required questions Check the Required box under the free text, single, or multi-select question that you want to make required. 
      Details in the Required questions section.

      New questionnaires: have only one + icon. What you add is the first thing visible on the questionnaire (you can reorganize items later).

      Questionnaires with existing elements and rules: a + appears under each element or rule. Your next item is added based on the location of the + you choose.

      Add a risk

      Add risks to custom questionnaires (default questionnaires have risks pre-built in). We recommend adding a risk to all elements that signal a risk. Questionnaire risks are visible on a vendor's risk profile, their risk assessments, and in the remediation workflow.

      Risks determine a questionnaire’s score (without risks, questionnaires have no score). 

      1. Click Vendor Risk from UpGuard’s left-hand panel.
      2. Click Questionnaire Library from the left-hand Vendor Risk panel.
      3. Click the pencil icon next to the questionnaire you want to edit or build out.
      4. Click a + icon under the element you want to add a risk to.
      5. Click the pencil icon to edit the risk details. You’ll enter:
        1. Finding
        2. Risk
        3. Description
        4. Severity (critical, high, medium, low, info)
        5. (optional) Compensating controls
      6. Click Done.
      7. Click + Add conditional visibility (immediately under your risk). This is an important step, without conditional visibility, the risk is applied anytime someone submits this questionnaire (regardless of their answer selections).
      8. Use the modal to set the logic for when your risk should be triggered. Ex: If question 5 is answered “always”, show risk).
      9. Click Done.
      10. Repeat steps 4-9 for all of the risks you want to add.
      11. Click Save and exit, Publish, or Confirm and Save.

      Alternatively, click the exclamation mark next to a single or multi-select answer option. After you've entered risk details, conditional visibility rules are automatically added to trigger the risk for that specific answer option. 

      Required questions

      Free text, single, or multi-select questions on custom and default questionnaires can be made required. To submit a questionnaire, a respondent must enter or select a response for all (visible) required questions.

      Required questions and conditional visibility

      Required questions can be hidden by conditional visibility.

      • If a required question is hidden by conditional visibility, respondents can submit the questionnaire without answering the question.
      • If a required question is visible (i.e. no conditional visibility, or it meets the conditions for visibility), respondents must answer the question in order to submit the questionnaire.

      Add required questions

      1. Click Vendor Risk from UpGuard’s left-hand panel.
      2. Click Questionnaire Library from the left-hand Vendor Risk panel.
      3. Click the pencil icon next to the questionnaire you want to add a risk to.
      4. Check the Required box under the free text, single, or multi-select question you want to make required.
      5. Repeat step 4 for all questions you want to make required.
      6. Click Save and exit, Publish, or Confirm and Save.

      Move an element or risk

      You can move elements and risks on custom questionnaires.

      1. Click Vendor Risk from UpGuard’s left-hand panel.
      2. Click Questionnaire Library from the left-hand Vendor Risk panel.
      3. Click the pencil icon next to the questionnaire you want to edit.
      4. Find the element or risk you want to move.
      5. Click the move icon (up and down arrows) in the corresponding row.
      6. Use the modal that opens to drag and drop the element or risk to the appropriate location.
      7. Click Save changes.  
      8. Click Save and exit, Publish, or Confirm and Save.

      Rename a questionnaire

      You can rename custom and default questionnaire.

      1. Click Vendor Risk from UpGuard’s left-hand panel.
      2. Click Questionnaire Library from the left-hand Vendor Risk panel.
      3. Click the pencil icon next to the questionnaire you want to rename.
      4. Click the field with the questionnaire’s current name.
      5. Enter the new name.
      6. Click Save and exit, Publish, or Confirm and Save.

      Delete an element or rule

      You can delete elements and rules on custom questionnaires.

      1. Click Vendor Risk from UpGuard’s left-hand panel.
      2. Click Questionnaire Library from the left-hand Vendor Risk panel.
      3. Click the pencil icon next to the questionnaire you want to edit.
      4. Find the element or rule you want to delete.
      5. Click the trash bin icon in the corresponding row.
      6. Click Delete item to confirm that you want to delete.  
      7. Click Save and exit, Publish, or Confirm and Save