Questions- the Building Blocks of an Assessment

Assessments consist of a list of questions and a list of targets where you want to ask those questions. There are many different types of assessments, but to do most of them, you need to start with questions. SaltyCloud can pre-populate your instance of Isora GRC with all of the questions you need if you want to use a well-known assessment framework (such as NIST 800-53, CMMC, GLBA, HECVAT, VPAT and many others). But if you want to do your own unique assessments, you'll need to start with questions first.

Because the number of questions can get unwieldy, there are several ways that Isora GRC groups them together to make them easier to work with. Question categories provide a way to organize questions into a hierarchy. The categories used are driven by the types of assessments being done. For example, the "campus-wide risk assessment" category could include a sub-category "physical security." Because one question can lead to another, questions support a parent-child relationship, so depending on the answer given to question A, another question B can be included in a survey. For example, if a user answers yes to "Does the system require password authentication?" they might be asked "Do passwords need to be changed every 90 days?" Questions are further grouped into question lists, so when you finally create an assessment, all of the questions needed are pulled together in one place.

To make assessments fully customizable, Isora GRC also allows you to customize the potential answers to questions. You can create different answer choices and assign them values for scoring purposes. Each answer choice includes a multiplier for determining how answers will be scored. Then you group them into answer response groups. There are default choices and default response groups. But if you want to get fancy, you can create your own.


The following flow chart demonstrates how question lists are constructed.

Figure 8.1-Question Objects

See also: