Not logged in - Login
View History

Control Questions for Supplier Due Diligence

This page is for the setup of questions for users with access to the Supplier Risk Management module.

Control Questions

Questions must be related to controls. A set of questions for each control are provided with Abriska. It is possible to edit or add additional questions in relation to a control.


Controls are mapped to categories, hence assigning category to a supplier ensures that the appropriate questions are asked.

Where a control features in multiple categories, Abriska recognises this and ensures the question is only asked once.

Note that categories are not evaluated, controls are evaluated based on the response to the questions.

Creating a new question

Under SRM Setup, select Controls

If you want to add or amend questions to existing controls, select the control and then select ‘View Questions’. The existing questions will be displayed. Select the relevant question and make any amendments and then select ‘Submit’.

If a new control is required, then select new control and complete the fields and save by selecting Submit. Navigate to Control Types Setup for more details on adding controls. Once the new control appears in the list on the main screen, select the control and then select ‘View Questions’ Remember that a control has to be assigned to a category in order for the questions to be assigned to a supplier. One of the advantages of Abriska is that questions relate directly to controls, this allows a clear articulation of the risk presented and offers specific corrective actions based on international best practice. For this reason, questions need to be related to controls.

Select ‘Create a New Question’ and complete the fields.

  • 'Recommendation Text' is available as a prompt for the questions, for example for the question 'Has your organisation implemented a documented information security policy?' you may want to detail that, 'As part of the ISO 27001 certification, organisations must have an information security policy.'

    There are several question types to choose from:
  • Multiple choice. These questions can be automatically scored based on user criteria
  • Select Applicable. These questions can be automatically scored based on user criteria
  • Yes/No, e.g. "do you have a policy?" automatic rating by the system
  • Yes/Not applicable; automatic rating by the system
  • Descriptive/freetext e.g. "how do you enforce the policy?" These questions require manual review and scoring.
  • Document selection is optional and can be used to provide an example, or additional information. It can also be used as the main part of the question, for example 'Do you agree with the terms outlined in the attached document?' or within a recommendation 'Please see the attached document for guidance'.

  • A weighting is required for the question and this should be in the range of 1-10. The weighting is used to calculate the level of risk based on the answers received from the supplier (otherwise known as the score). The questions total up to a risk rating to the control.

  • It is then necessary to decide whether a justification is required along with the answer (for Y/N, Y/NA, and multiple-choice questions) and again this can be set for where the supplier answers Yes or No for example.

  • Attribute level relates back to the CIA attribute levels set for the supplier (max attribute score). In this way, certain questions will only be presented to suppliers with certain (higher) risk attributes.

  • Selection of the box marked ‘Critical’ is intended to highlight questions which may have a compliance impact. Regardless of the overall risk score generated by the responses, where a supplier fails on these questions, this will be shown on the overall management dashboard as well as against the questionnaire.

  • When setting up a question, there is an option to introduce nested questions or parent and child questions. For example, where the answer to the question is ‘yes’, then one or more additional questions can be set to request additional explanation or uploading of documentation.
    When you want to creat a branching child question, create it and then select the parent question and when you want it to apply (on yes or no).

    Question Setup Options


    Please also see Supplier Risk Management - Video Guides


    Return to Supplier Risk Management