Overview

The Assessments feature allows organizations to send security questionnaires to monitored vendors, track responses, and maintain documentation for third-party risk management and compliance requirements.

This feature helps organizations:

• Meet third-party monitoring compliance requirements for vendor security assessments
• Quickly collect information from vendors following a breach or ransomware event
• Maintain an audit trail of vendor responses and supporting documentation
• Track assessment coverage and completion status across all monitored vendors

Assessments can be created manually, scheduled on a recurring basis, or automatically triggered when a vendor breach or ransomware event is detected.

Best Practices

To maximize the value of the Assessments feature:

• Send annual assessments to critical/high risk vendors
• Use event-based assessments after breach & ransomware alerts (Hack Alerts)
• Require document uploads for evidence collection (i.e. SOC 2 Type 2, Security Policies)
• Monitor the Assessment Dashboard regularly
• Use our standard templates, or create your own, to standardize vendor security reviews

Accessing the Assessments Module

Navigate to: Business → Third Party → Assessments

This section contains all functionality related to vendor security assessments, including:

• Creating and managing assessments
• Tracking assessment progress
• Creating custom assessment templates
• Configuring automated assessment triggers
• Reviewing assessment analytics and compliance dashboards

Create New Assessments (Assessments → Assessments)

This page allows you to create and manage vendor security assessments.

Assessments can be sent as one-time requests or recurring assessments depending on your vendor oversight requirements.

Creating a New Assessment

To create a new assessment:

1. Navigate to Business → Third Party → Assessments → Assessments
2. Complete the assessment configuration fields.

Company to Assess

Select a vendor from your Third Party Watchlist by searching for their domain and selecting the correct vendor that populates.

Assessment Name

Provide a descriptive name for the assessment.

Examples:

• Vendor Security Review – 2026
• ACME Vendor Breach Follow-Up

Template

Select an assessment template to define the questionnaire.

Available default templates include:

• Ransomware Assessment (20 questions): Designed to evaluate vendor exposure following a ransomware attack.
• Incident Assessment (20 questions): Designed to evaluate vendor exposure following any confirmed data breach.
• Short Complete Assessment (20 questions): A brief security assessment focused on core cybersecurity controls.
• Complete Assessment (123 questions): A comprehensive vendor security assessment covering a broad range of security controls.

Custom templates can also be created at: Business → Third Party → Assessments → Templates

Invite Emails

Enter the email addresses of vendor contacts who should complete the assessment.

Multiple emails can be added using:

• One email per line
• Comma + space separated
• Semicolon + space separated

Each invited contact will receive an email from HackNotice allowing them to:

• Create an account or log in
• Complete the questionnaire
• Upload requested documentation (such as SOC 2 reports)

Due Date

Set the deadline for completing the assessment.

The vendor will be notified of this deadline, and it will be used to determine overdue assessments in the dashboard.

Assessment Cycle

Select how frequently the assessment should be sent.

Available options include:

• One-time
• Quarterly
• Semi-annual
• Annual

Recurring assessments will automatically resend based on the selected cycle.

Risk Tier

Assign a risk tier for reporting and audit tracking.

Default tiers include:

• Critical
• High
• Medium
• Low

You can also define custom tiers.

Create the Assessment

Click Create Assessment to send the assessment invitation to the selected recipients.

Once created:

• The assessment appears in the Assessments list
• Recipients will receive an email invitation
• Recurring assessments will be scheduled automatically

Viewing Existing Assessments

Existing assessments appear at the bottom of the page in the Assessments table.

You can:

• Search for assessments using the search bar
• Click View to open a specific assessment
• Click Delete to remove an assessment

Review Existing Assessments (Assessments → Timeline)

The Timeline view provides a centralized overview of assessment activity and responses.

This page allows you to monitor:

• Assessment progress
• Vendor responses
• Uploaded documentation
• Compliance activity history

Assessment Compliance Log

The compliance log shows all assessments with the following details:

• Assessment name
• Vendor company
• Status
• Risk tier
• Due date
• Completion status

Click any assessment to view its full details.

Viewing an Assessment

Opening an assessment allows you to review:

• Assessment configuration
• Vendor responses
• Uploaded documents
• Assessment notes
• Audit history

From this page you can also:

• Edit the assessment
• Delete the assessment

Event Audit Trail

The Event Audit Trail records key events across all assessments, including:

• Document uploads
• Vendor responses
• Assessment updates

This provides a complete audit history for compliance and internal review purposes.

Create & Edit Custom Assessment Templates (Assessments → Templates)

Templates allow you to create reusable questionnaires for vendor assessments.

Navigate to: Business → Third Party → Assessments → Templates

Creating a Template

To create a template:

1. Enter a Template Name
2. Add a Description
3. Add questions using one of the following methods

Option 1: Import Templates

Templates can also be imported using:

• JSON files
• CSV files

This allows organizations to upload existing vendor questionnaires.

Option 2: Add Questions Manually

Questions can be added one at a time.

Supported response types include:

• Text
• Yes / No
• Multiple Choice
• Rating

You can also mark questions as Required.

Framework Tagging

Templates can optionally reference a framework name for internal categorization.

Editing Templates

Existing templates appear in the Assessment Templates list.

You can:

• Open a template to edit it
• Copy an existing template to create a new version

Create Incident Assessments & Global Preferences (Assessments → Preferences)

The Preferences page allows administrators to configure global assessment automation.

Navigate to: Business → Third Party → Assessments → Preferences

Event-Based Assessment Triggers

Assessments can be automatically created when vendor security incidents are detected.

Breach Trigger: Enable Create assessment on new breach to automatically generate an assessment whenever a monitored vendor has a new Hack Alert indicating a breach.

• If toggled on, select the template that will be used for these assessments.

Ransomware Trigger: Enable Create assessment on ransomware event to automatically generate an assessment when a monitored vendor is identified in a ransomware attack alert.

• If toggled on, select the template that will be used for these assessments.

Assessment Scheduling

Global scheduling rules can be configured based on vendor risk tiers.

Settings include:

• Default assessment duration (days)
• Assessment frequency by risk tier
• Default templates by tier

These settings allow organizations to enforce automated security review cycles across vendors.

For example:

• Critical vendors → Annual full assessment
  Medium vendors → Annual short assessment

Click Save Preferences after making changes.

Assessment Dashboard

Navigate to: Dashboards → Assessments

This dashboard provides a high-level overview of vendor assessment activity and compliance coverage.

Assessment Status

Displays the number of assessments by status:

• Not Started
• In Progress
• Completed
• Overdue

Company Coverage

Shows how many vendors on your Third Party Watchlist have received assessments.

Vendors listed as Not Assessed have not yet been sent an assessment.

Summary Metrics

Displays key metrics including:

• Total assessments sent
• Total monitored vendors
• Assessment completion rate
• Overdue assessment rate

Assessments by Risk Tier

Breakdown of assessments by risk tier classification.

Not Assessed Companies

Lists vendors that are currently monitored but have not yet received an assessment.

This helps identify gaps in vendor security review coverage.

Overdue Assessments

Displays any assessments that have passed their due date without completion.