Just a question? When all documentation is received such as questionnaire , Soc 2 Type 2 reports, etc and you are ready to start your assessment- do you only look at those items that are relevant to the use case , or do you assess their security posture over all. Also do any of you use a template as a part of assessing the vendors so the process is repeatable each time?