Questionnaires
Build, manage, and distribute security questionnaires to vendors for comprehensive risk assessment. Questionnaires consist of sections containing weighted questions that vendors answer through a secure portal — responses feed directly into residual risk scoring.
Question types
SecureHive supports five question types:
| Type | Use case | Scoring |
|---|---|---|
| Yes / No | Compliance questions (e.g., “Do you encrypt data at rest?”) | Typically Yes = 0, No = 100 |
| Multiple Choice | Frequency or maturity questions with predefined options | Each option has its own score |
| Text | Open-ended descriptions, procedures, explanations | Not scored directly |
| Rating | Numeric scales (1–5 or 1–10) for maturity assessments | Scale value used as score |
| File Upload | Certifications, audit reports, evidence documents | Not scored directly |
Creating a questionnaire
Set basic information
Navigate to Vendor Risk → Questionnaires → Create Questionnaire and configure:
| Field | Description |
|---|---|
| Questionnaire Name | Descriptive name (e.g., “Tier 1 Security Assessment”) |
| Description | Overview of purpose and scope |
| Applicable Tiers | Tier 1, 2, 3, 4, or All Tiers |
| Public / Private | Accessibility setting |
Create sections
Organize questions into logical sections (e.g., Security Governance, Data Protection, Incident Response). Each section has a title, description, department, and display order.
Add questions
For each question, configure:
| Field | Required | Description |
|---|---|---|
| Question Text | Yes | The question vendors will answer |
| Question Type | Yes | Yes/No, Multiple Choice, Text, Rating, or File Upload |
| Question Code | No | Unique identifier (e.g., “SG-POL-1”) |
| Domain | No | Security domain |
| Is Required | No | Whether vendors must answer before submitting |
| Weight | No | Numerical weight for scoring calculations |
| Applicable Tiers | No | Which vendor tiers see this question |
Configure multiple choice options
For multiple choice questions, add options with display text, internal value, display order, and a risk score assigned to each option.
Save and publish
The questionnaire is ready to send to vendors.
Importing from CSV
For large questionnaires, download the CSV template from Questionnaires → Import → Download Template, fill in your questions following the column format (questionnaire name, section title, question code, question type, weight, option text, option value, option score), and upload the file. All rows must have exactly 19 columns.
Sending questionnaires to vendors
From a vendor’s detail page, click Send Questionnaire. Only questionnaires applicable to the vendor’s tier are shown. The system generates a secure access token and sends the vendor an email with a link — vendors complete the questionnaire without creating an account.
Vendor questionnaire completion
Vendors access questionnaires through a secure link in their email notification. No account is required — they authenticate with their email address via a secure token.
Key features for vendors: responses auto-save as they type, a progress bar tracks completion of required questions, they can close the browser and resume later via the same link, and sections can be expanded and collapsed for easy navigation.
Once a vendor submits their questionnaire, they cannot edit their answers. They must contact the sending organization to request changes.
Reviewing responses
After a vendor submits, analysts review each response:
Access the review page
From the vendor detail page, go to the Assessments tab and click Review Responses.
Set applicability
For each question, mark it as Applicable (relevant and should be scored), Not Applicable (doesn’t apply to this vendor), or Partially Applicable (applies with limitations).
Add analyst comments
Add comments for audit trails and future reference on any question.
Save the review
The reviewed responses are now ready to be linked to a risk assessment for residual risk calculation.
Best practices
Organize questions by security domain for logical flow. Use question weights to emphasize critical areas — data protection and access control often warrant higher weights than general governance. Set appropriate tier applicability so vendors only see questions relevant to their risk level. Use question codes for consistent referencing across assessments. Test questionnaires with a small group before distributing broadly.