OneTrust - Assessment Stages

OneTrust uses “stages” to track the progress of requests and assessments. These stages include “Not Started”, “In Progress”, “Under Review”, and “Completed”.

Not Started – means the assessment request or assessment questionnaire has been created, but no data has been entered. 

In Progress – means the assessment request or assessment questionnaire has been started, data has been entered, but it hasn't been submitted.

Under Review - the assessment request or assessment questionnaire has been completed and submitted. It is now in the hands of the Risk & Compliance team for next steps.

Completed - the assessment request or assessment questionnaire has been reviewed by an Analyst, and is on to the next steps of the Risk Assessment process.

image2020-10-13_10-50-45


When should a OneTrust assessment request or assessment questionnaire be in the “Not Started” stage?

Cybersecurity Risk Assessment Requests (Intake Form) are launched in the “Not Started” stage. This indicates the respondent has opened the form, but has not responded to any questions. “Not Started” is also the begining stage for new assessment questionnaires. It indicates the assessment has been created, but no questions have been answered.

image2020-10-13_10-50-54

When should a OneTrust assessment request or assessment questionnaire be in the “In Progress” stage?

Cybersecurity Risk Assessment Requests (Intake Form) are actively being completed when in the “In Progress” stage. This indicates the user has opened the form, has responded to questions, but has not submitted their request. “In Progress” is also a stage for assessment questionnaires. It indicates the assessment has some questions that have been answered, but it has not been submitted.

image2020-10-13_10-51-4

When should a OneTrust assessment request or assessment questionnaire be in the “Under Review” stage?

When in the “Under Review” stage, a Cybersecurity Risk Assessment Request (Intake Form) is now in the hands of the Risk Management & Compliance (RMC) team, and is either awaiting assignment to an RMC Analyst, or responses are actively being reviewed by an Analyst to determine next steps. Multiple Risk Analysts can be assigned. For assessment questionnaires, “Under Review” indicates the respondent(s) has answered all of the assessment questions and has submitted them for review by an RMC Analyst. In this stage, RMC Analysts are reviewing responses to ensure questions are answered completely and accurately. Once the assessment request or assessment questionnaire has been reviewed by the Analyst, it is either Accepted or Rejected.

                Accepted – the assessment request or assessment questionnaire contained all the information needed to move to next steps. Next steps may be:

                                Cybersecurity Risk Assessment Request – marked as accepted when responses are enough to determine the assessment that is needed, such as Request to Procure (RTP), Joint Security & Privacy Review (JSPR), etc. Next step is for the assigned RMC Analyst to launch an Assessment Questionnaire.

                                Assessment Questionnaire – marked as approved when all of the provided responses are acceptable to write the risk report. Next step is for the RMC Analyst to produce the Risk Report, and respondents to start mitigating identified Risks.

                Rejected - the assessment request or assessment questionnaire DID NOT contain all the information needed to move to next steps.

image2020-10-13_10-51-16

When should a OneTrust assessment request or assessment questionnaire be in the “Completed” stage?

A Cybersecurity Risk Assessment Request (Intake Form) is marked as “Completed” (Accepted) when it contains all the information required to determine the assessment for the request. After a Cybersecurity Risk Assessment Request is “Completed” the assigned RMC Analyst launches the appropriate assessment questionnaire for the assessment. An assessment questionnaire is marked as “Completed” (Accepted) when all the questions have been satisfactorily answered and the Risk Report is ready to be written.



KeywordsOneTrust, RMC, Risk, Compliance, Assessment, Stages   Doc ID114233
OwnerPeter V.GroupCybersecurity
Created2021-10-12 09:03:21Updated2021-11-16 09:25:08
SitesOffice of Cybersecurity
Feedback  1   1