Assessment Setup: Custom Questionnaire Template

You can create custom questionnaires to use in Bitsight VRM. These questionnaires are included in assessments as artifacts. The creation process has three steps:

1. Download the VRM Questionnaire Template (v4, 18-FEB-2026). This Excel file contains example data and guidelines to help you complete the template.
2. Delete the example data and fill in the questionnaire fields.
3. Attach the completed template to a Support ticket. Bitsight Support will facilitate the process of entering the questionnaire into VRM.

This process can be used to create questionnaires to share with vendors or internal questionnaires. Specify in your Support request which type of questionnaire you are creating. Once a custom questionnaire is added to VRM, you can share it internally or with your vendors depending on your choice.

To modify, add, or delete a question on the questionnaire, send an updated template with the new version name specified on the first column to Bitsight Support to have a new version of the questionnaire created.

Questionnaire Instructions

The VRM Questionnaire Template is a downloadable Excel spreadsheet. It is made up of columns of data that our Support team will use to generate your questionnaire.

• On the Questionnaire Template tab, review the data examples already entered into the template. Delete these examples before completing the template yourself.
• On the Guidelines tab, review the following descriptions for the columns in the template and how they should be filled in.
• The QuestionType tab shows examples of existing question types that can be used, including details on how the answers are weighted.

Columns

Columns in the template, their descriptions, and instructions for filling out the Questionnaire Template form.

* Required.

Additional Notes

Notes to help our Support team create your questionnaire. These notes are not uploaded to VRM, but instead help us understand the details of any custom questions types you’d like to include.

BitsightRiskVectors

Bitsight risk vectors mapped to the corresponding question. A Total Risk Monitoring subscription is required to access this data.

Values:

• dkim (DKIM)
• ssl_certificates (SSL Certificates)
• ssl_configurations (SSL Configurations)
• open_ports (Open Ports)
• patching_cadence (Patching Cadence)
• insecure_systems (Insecure Systems)
• server_software (Server Software)
• desktop_software (Desktop Software)
• mobile_software (Mobile Software)
• dnssec (DNSSEC)
• mobile_application_security (Mobile Application Security)
• web_appsec (Web Application Security)
• botnet_infections (Botnet Infections)
• spam_propagation (Spam Propagation)
• malware_servers (Malware Servers)
• unsolicited_comm (Unsolicited Communications)
• potentially_exploited (Potentially Exploited)
• file_sharing (File Sharing)
• data_breaches (Security Incidents)
• spf (SPF)

CategoryName

* Required.

The CategoryName (section) of the survey name that will be displayed on the left side of the screen.

Instructions: All questions within a category should be added together—don’t mix questions across categories.

Example values:

• General, Access Control
• Security Incidents
• Threat Management
• BC/DR

Description

A description of the question for vendor reference or additional answer instructions. It is visible in the final questionnaire.

Example values:

• 1.2
• AAAI-15 - An answer of "yes" should be well-supported in the comments.

DocumentsRequired

Indicates that a document must be uploaded.

Instructions: We recommend that you use this sparingly since this column is not conditional.

Values:

• 1 if required. The vendor's response is considered complete only after the document is uploaded.
• 0/blank if not required.

ID

* Required.

The ID associated with a question. This is not visible in the final questionnaire.

• Parent questions have a whole number or alphabetical IDs.

• Example:

  • 1
  • 2
  • 3

  Example:

  • A
  • B
  • C

• The IDs of child questions begin with the parent’s ID, followed by a period (.) , and then another character in sequence.

• Example:

  • 1.1
  • 1.2
  • 1.3

  Example:

  • A.A
  • A.B
  • A.C

NotesRequired

Indicates that a note is required.

Instructions: This value is not needed for the Free form String question type, as it is already a text response. We recommend that you use this sparingly since this column is not conditional.

Values:

• 1 if required. The vendor's response is considered complete only after the note is added.
• 0/blank if not required.

ParentAnswerToShowChild

For child questions only. The specific answer that triggers the child question.

Values:

• Yes
• No

Instructions:

• This value must match the QuestionType value of the parent.
• Parent and child questions must be in the same category.

If multiple parent answers should trigger the child, separate them using a vertical bar (|). Make sure there are no extra spaces before and after the vertical bar.

ParentQuestionID

The ID associated with a question. This is not visible in the final questionnaire. Since parent and child questions must be in the same category, this parent question ID triggers the child question.

Values: Parent questions have a whole number or alphabetical IDs.

Example:

• 1
• 2
• 3

Example:

• A
• B
• C

Instructions: Provide the ID of the parent question.

Priority

* Required.

The priority associated with the question. Priority is measured with a scale of 0 to 4.

Values:

• 0 = None

• This is assigned to the Free form String question type because we cannot score the vendor’s response.

• 1 = Low
• 2 = Medium
• 3 = High
• 4 = Critical

Question

* Required.

The question.

Instructions: Questions should ask one thing.

Example values:

• Is Multi-Factor Authentication (MFA) utilized?
• Does the policy or procedure for information handling include encryption requirements?

QuestionType

* Required.

The type of question to create. We have many existing question types and can create custom ones as needed.

Existing question types:

• Text

• This must have a Priority of 0.

• Yes/No/NA
• Yes/No/NA - No is Good
• Yes/No/NA-Credit All
• Yes/No/Partially
• Yes/No
• Yes/No - No is Good
• Yes/No - Credit All
• Date

Instructions:

Select an existing question type or create a custom question type.

• Use the QuestionType tab to create a custom question type. Name custom question types in a clear way to indicate what the data collected is and for who.
• For custom question types, use clear naming in this column and enter the rest of the details in the Additional Notes column.
  • Name
  • Type
    • Multiple select: multiple options can be selected at the same time.
    • Multiple choice: only one option can be selected.
  • One or more answer Value
  • One or more answer Weight

• Include a weight for each option.

SurveyName

* Required.

The name of the survey. This column will match the survey name in VRM.

Instructions: Enter the SurveyName for each question.

Example values:

• Saperix Questionnaire
• Saperix Questionnaire V2
• Saperix Vendor Assessment
• Saperix Security Review