Not logged in - Login
View History

Control Assessment Questions

Control Questions

Questions must be related to controls. A set of questions for each control are provided with Abriska. It is possible to edit or add additional questions in relation to a control.


Controls are mapped to categories, hence assigning category to a supplier ensures that the appropriate questions are asked.

Where a control features in multiple categories, Abriska recognises this and ensures the question is only asked once.

Note that categories are not evaluated, controls are evaluated based on the response to the questions.

Creating a new question

Under SRM Setup, select Controls

If you want to add or amend questions to existing controls, select the control and then select ‘View Questions’. The existing questions will be displayed. Select the relevant question and make any amendments and then select ‘Submit’.

If a new control is required, then select new control and complete the fields and save by selecting Submit. Navigate to Control Types Setup for more details on adding controls. Once the new control appears in the list on the main screen, select the control and then select ‘View Questions’ Remember that a control has to be assigned to a category in order for the questions to be assigned to a supplier. One of the advantages of Abriska is that questions relate directly to controls, this allows a clear articulation of the risk presented and offers specific corrective actions based on international best practice. For this reason, questions need to be related to controls.

Select ‘Create a New Question’ and complete the fields.

  • 'Recommendation Text' is available as a prompt for the questions, for example for the question 'Has your organisation implemented a documented information security policy?' you may want to detail that, 'As part of the ISO 27001 certification, organisations must have an information security policy.'
  • Under ‘Question Type’ there are four option available: Yes or No, Yes or Not Applicable (N/A), Text Only, or Multiple Choice.
  • A weighting is required for the question and this should be in the range of 1-10. The weighting is used to calculate the level of risk based on the answer received from the supplier (otherwise known as the score).
  • It is then necessary to decide whether a justification is required along with the answer (for Y/N, Y/NA, and multiple-choice questions) and again this can be set for where the supplier answers Yes or No.
  • Attribute level relates back to the CIA attribute levels set for the supplier (max attribute score). In this way, certain questions will only be presented to suppliers with certain (higher) risk attributes.
  • Selection of the box marked ‘Critical’ is intended to highlight questions which may have a compliance impact. Regardless of the overall risk score generated by the responses, where a supplier fails on these questions, this will be shown on the overall management dashboard as well as against the questionnaire.
    Question Setup Options


    Please also see Supplier Risk Management - Video Guides



Return to Supplier Risk Management