Overview

Vendor risk assessments are the core mechanism for evaluating the security and compliance posture of your third-party vendors. Each assessment uses a structured questionnaire that covers multiple domains, and responses are scored using a domain-weighted formula to produce an overall risk level.

Assessment Lifecycle

1

Create Assessment

Create a new assessment by selecting a vendor and a questionnaire template. Templates define the domains, questions, and scoring weights used for the assessment. You can seed default templates or create custom ones.
2

Share with Vendor

Generate a shareable link and send it to the vendor. The vendor can access the questionnaire without logging in, fill in responses, upload supporting documents, and declare their subprocessors — all through the shared link.
3

Vendor Completes Questionnaire

The vendor answers each question in the assessment. Questions support multiple response types: yes/no, multiple choice, scale ratings, free text, and file uploads. Each question includes guidance text and framework references.
4

Calculate Score

Once responses are submitted, the system calculates the domain scores and overall risk score using the template’s weighting configuration. The score determines the risk level (critical, high, medium, or low).
5

Internal Review

An internal reviewer examines the vendor’s responses, uploaded documents, and calculated scores. The reviewer can approve, reject, or request changes to the assessment.

Assessment Statuses

StatusDescription
DraftAssessment created but not yet started or shared
In ProgressQuestionnaire has been shared and the vendor is responding
In ReviewVendor has submitted responses and the assessment is awaiting internal review
ApprovedInternal reviewer has approved the assessment
RejectedInternal reviewer has rejected the assessment with notes
ExpiredThe assessment has passed its review date without completion

Questionnaire Templates

Templates define the structure and scoring methodology for assessments. Each template contains:
  • Domains — logical groupings of questions (e.g., Security, Privacy, Business Continuity)
  • Questions — individual items within each domain with type, guidance, and framework references
  • Weights — relative importance of each domain in the overall score calculation
  • Risk thresholds — score ranges that map to risk levels

Seeding Default Templates

LowerPlane provides built-in questionnaire templates covering common assessment scenarios. Navigate to the Templates tab on the Risk Assessments page and click Seed Default Templates to add them to your organization.

Creating Custom Templates

You can create custom templates tailored to your specific vendor assessment needs. Define your own domains, questions, and scoring weights to match your organization’s risk methodology.

Question Types

Yes / No

Binary questions with clear positive or negative answers. Most commonly used for compliance checks.

Multiple Choice

Select one answer from a predefined list of options. Useful for categorical assessments.

Scale Rating

Numeric rating on a defined scale. Used for maturity assessments and capability evaluations.

Free Text

Open-ended text responses for detailed explanations and context.

File Upload

Upload supporting documents directly within the questionnaire response.

Domain-Weighted Scoring

Each assessment template assigns weights to its domains. The overall score is calculated as a weighted average: 
Overall Score = sum(Domain Score x Domain Weight) / sum(Domain Weights)
For example, if a template has three domains:
DomainWeightScore
Security Controls40%85
Privacy Practices35%70
Business Continuity25%90
The overall score would be: (85 x 0.40) + (70 x 0.35) + (90 x 0.25) = 34 + 24.5 + 22.5 = 81

Risk Levels

The overall score maps to a risk level based on configurable thresholds:
Risk LevelDefault ThresholdAction Required
CriticalScore below 40Immediate remediation or vendor replacement
HighScore 40-59Remediation plan required within 30 days
MediumScore 60-79Monitor and review at next assessment cycle
LowScore 80-100Standard monitoring, no immediate action
Risk level thresholds are configurable per template. Adjust them to match your organization’s risk tolerance.

Sharing Assessments

The Share tab on each assessment detail page allows you to generate a shareable link. When a vendor accesses this link, they can:
  • View and respond to all questionnaire questions
  • Upload supporting documents (SOC 2 reports, certifications, policies)
  • Declare subprocessors with data categories and hosting locations
  • Save progress and return later to complete the assessment
You can also send the share link via email directly from the platform. The vendor receives an email with instructions and a direct link to the questionnaire.

Inherent vs. Residual Risk

Each assessment tracks two risk scores:
  • Inherent Risk Score — the risk level before any controls or mitigations are applied, based on the vendor’s data handling and business criticality
  • Residual Risk Score — the risk level after accounting for the vendor’s security controls, certifications, and mitigations as evaluated through the questionnaire
The difference between inherent and residual scores indicates the effectiveness of the vendor’s control environment.

Assessment Tabs

The assessment detail page is organized into five tabs:
The questionnaire itself, organized by domain. Each question shows the response type, guidance text, framework references (e.g., ISO 27001 A.8.1, SOC 2 CC6.1), and the vendor’s response.
Documents uploaded by the vendor as part of the assessment, including compliance certifications, audit reports, and policies.
Third-party subprocessors declared by the vendor, with data categories, hosting locations, and risk levels.
Internal discussion thread for reviewers to collaborate on the assessment findings.
Generate and manage the shareable link for the vendor to access the questionnaire.

Vendor Classification

Before creating a full assessment, you can run an automated vendor classification. This feature analyzes the vendor’s profile and recommends a risk tier, helping you decide whether a full assessment is necessary or if a lighter review is sufficient.

Exporting Assessments

Export completed assessments for offline review or audit purposes. The export includes all questions, responses, scores, and reviewer notes in a downloadable format.
Assessment exports may contain sensitive vendor information. Ensure exported files are handled according to your organization’s data classification policies.