What if I Answer "No" or "N/A" on an Assessment Question?
As the Third Party member works to complete our assessment, there may be questions where a "No" or "N/A" (Not Applicable) response is appropriate.
- An "N/A" response will simply remove the item from the risk analysis process. To ensure the relevance & clarity of assessment data for customers, any control marked as N/A in an assessment questionnaire must include an external comment. The comment should explain why the control does not apply.
- A “No” response indicates 0% coverage for the Control Group, Control Family, Control, or Sub-Control (depending on which level the “No” was applied), as well as 0% coverage for the questions that were skipped (again, depending on the tier level). Any “No” answer has the potential to be displayed as a high risk gap based on the relevant attack scenarios when conducting risk identification.
Note: Neither of these responses will require evidence for validated assessments.