As the third party works to complete our assessment, there may be questions where a "No" or "N/A" response is appropriate.
- An "N/A" response will simply remove the item from the risk analysis process.
- A “No” response indicates 0% coverage for the Control Group, Control Family, Control, or Sub-Control (depending on which level the “No” was applied), as well as 0% coverage for the questions that were skipped (again, depending on the tier level). Any “No” answer has the potential to be displayed as a high risk gap based on the relevant attack scenarios when conducting risk identification.
Note: Neither of these responses will require evidence for validated assessments.