Introduction
Organizations of every size rely on third‑party vendors to deliver products, services, and even critical infrastructure. Yet each external relationship introduces its own set of security, privacy, and compliance risks. This questionnaire gives procurement, vendor‑management, and security teams a practical, repeatable way to evaluate those risks—whether you’re onboarding a new supplier, conducting an annual review, or reacting to a material change in a vendor’s environment. Use the standard set of sections for most vendors and the tiered add‑on for high‑risk or mission‑critical partners.
Purpose & Scope
This questionnaire assesses vendor security posture across critical domains to inform risk decisions in third‑party relationships. It includes both a standard version for all vendors and a tiered approach for high‑risk or critical suppliers.
Instructions
Who: Procurement, Vendor Management, or Security Teams
When: During vendor onboarding, annually for active vendors, or upon significant changes
How: Distribute via secure portal; review responses against risk thresholds; follow up on gaps
Vendor Risk Assessment Questionnaire
Section 1: Vendor Profile
| # | Field | Guidance | Value |
|---|---|---|---|
| 1 | Vendor Name | Legal name of the vendor organization | [Vendor Name] |
| 2 | Primary Contact | Name, title, email, phone for security inquiries | [Primary Contact] |
| 3 | Services Provided | Description of goods/services being procured | [Services Provided] |
| 4 | Data Classification | Highest sensitivity of data shared (Public, Internal, Confidential, Restricted) | [Data Classification] |
| 5 | Data Residency | Geographic locations where data is stored/processed | [Data Residency] |
| 6 | Criticality Tier | Tier 1 (Critical), Tier 2 (Important), Tier 3 (Standard) | [Criticality Tier] |
Section 2: Data Handling & Privacy
| # | Field | Guidance | Value |
|---|---|---|---|
| 7 | Data Encryption at Rest | Encryption standards used for stored data (e.g., AES-256) | [Encryption Standard] |
| 8 | Data Encryption in Transit | Protocols used for data transmission (e.g., TLS 1.2+) | [Transit Encryption] |
| 9 | Data Retention Policy | How long data is retained and disposal methods | [Retention Policy] |
| 10 | Privacy Compliance | Applicable regulations (GDPR, CCPA, HIPAA, etc.) and compliance status | [Privacy Compliance] |
| 11 | Data Subject Rights | Process for handling data access/deletion requests | [DSR Process] |
| 12 | Subprocessor Management | Controls over third‑party subprocessors (approvals, assessments) | [Subprocessor Controls] |
Section 3: Access Controls & Identity
| # | Field | Guidance | Value |
|---|---|---|---|
| 13 | Authentication | MFA requirements for administrative/privileged access | [MFA Details] |
| 14 | Authorization | Principle of least privilege implementation | [Authorization Model] |
| 15 | Privileged Access Management | PAM solution usage and controls | [PAM Details] |
| 16 | User Provisioning/Deprovisioning | Timelines for access grants and revocations | [Provisioning SLAs] |
| 17 | Access Review Frequency | How often access rights are reviewed (quarterly, etc.) | [Review Frequency] |
| 18 | Single Sign‑On | SSO capabilities (SAML, OIDC) and enforcement | [SSO Details] |
Section 4: Infrastructure & Network Security
| # | Field | Guidance | Value |
|---|---|---|---|
| 19 | Network Segmentation | Isolation of sensitive data environments | [Segmentation Details] |
| 20 | Vulnerability Management | Scanning frequency and remediation SLAs | [VM Program] |
| 21 | Patch Management | Timeline for critical/security patch deployment | [Patch Timeline] |
| 22 | Endpoint Protection | EDR/AV solutions deployed on corporate devices | [Endpoint Protection] |
| 23 | Secure Configuration | Baseline standards (CIS Benchmarks) compliance | [Config Standards] |
| 24 | Cloud Security | CSPM/CWPP usage and shared responsibility clarity | [Cloud Controls] |
Section 5: Monitoring & Incident Response
| # | Field | Guidance | Value |
|---|---|---|---|
| 25 | Security Monitoring | SIEM/log management and 24x7 SOC capabilities | [Monitoring Details] |
| 26 | Incident Response Plan | Existence and testing frequency of IR plan | [IR Plan Details] |
| 27 | Breach Notification | Timeline for notifying customers of incidents | [Notification Timeline] |
| 28 | Forensic Capabilities | Ability to preserve/log evidence for investigations | [Forensic Readiness] |
| 29 | Cyber Insurance | Coverage limits and proof of policy | [Insurance Details] |
| 30 | Third‑Party Audits | Right to audit clause and recent audit reports | [Audit Rights] |
Section 6: Business Continuity & Resilience
| # | Field | Guidance | Value |
|---|---|---|---|
| 31 | BCDR Plan | Existence and last test date of business continuity plan | [BCDR Details] |
| 32 | RTO/RPO | Recovery Time/Point Objectives for critical services | [RTO/RPO] |
| 33 | Alternate Sites | Geographic redundancy of critical infrastructure | [Site Redundancy] |
| 34 | Data Backups | Frequency, encryption, and isolation (air‑gap/immutability) | [Backup Strategy] |
| 35 | Supply Chain Resilience | Critical dependencies and alternative sourcing | [Supply Chain Info] |
| 36 | Force Majeure | Contractual clauses for unforeseen disruptions | [Force Majeure Terms] |
Section 7: Compliance & Governance
| # | Field | Guidance | Value |
|---|---|---|---|
| 37 | Security Framework | Primary framework(s) followed (ISO 27001, SOC 2, NIST, etc.) | [Framework] |
| 38 | Certification Status | Current certifications and expiration dates | [Certifications] |
| 39 | Internal Audits | Frequency of internal security audits/assessments | [Audit Frequency] |
| 40 | Policy Availability | Access to security policies (upon request/N/A) | [Policy Access] |
| 41 | Security Training | Mandatory security awareness training frequency | [Training Program] |
| 42 | Background Checks | Screening standards for employees/contractors | [Background Check] |
| 43 | Vendor Management | Own TPRM program and critical vendor oversight | [Vendor Program] |
Section 8: Application Security (if applicable)
| # | Field | Guidance | Value |
|---|---|---|---|
| 44 | SDLC Security | Secure development lifecycle practices (SAST, DAST, SCA) | [SDLC Details] |
| 45 | Third‑Party Components | Open‑source usage and vulnerability tracking | [SBOM/SCA] |
| 46 | API Security | Authentication, rate limiting, and OWASP API Top 10 | [API Controls] |
| 47 | Web Application Firewall | WAF deployment and rule management | [WAF Details] |
| 48 | Penetration Testing | Frequency and scope (external/internal/app) | [PT Program] |
| 49 | Bug Bounty | Existence of responsible disclosure program | [Bounty Program] |
| 50 | Change Management | Controls for production changes (testing, approvals) | [Change Process] |
Tiered Assessment Guidance
Standard Tier (All Vendors): Complete Sections 1‑7
Tiered Add‑On for High/Critical Vendors:
- Complete all sections (1‑8)
- Require recent SOC 2 Type II or ISO 27001 certificate
- Right to conduct on‑site assessment
- Quarterly risk review cadence
Scoring & Risk Rating
- Each “No” or incomplete answer = 1 point
- Weight critical sections (Data Handling, Access Controls, Incident Response) double
- Risk Rating:
- 0‑5: Low
- 6‑15: Medium
- 16‑25: High
- 26+: Critical
How to Use This Questionnaire
- Collect Responses – Send the form to the vendor’s security point of contact and set a clear deadline (typically 10‑14 business days).
- Score Answers – Apply the point system above; double‑weight the three critical sections.
- Tier the Vendor – Map the total score to the risk rating scale, then place the vendor in Low, Medium, High, or Critical tier.
- Determine Follow‑Up –
- Low: Archive the completed questionnaire; schedule a routine review next year.
- Medium: Request remediation plans for any “No” answers; set a 30‑day follow‑up.
- High: Conduct a deeper technical assessment or on‑site audit; involve legal for contract clauses.
- Critical: Escalate to senior leadership, require independent audit evidence, and consider alternative suppliers if remediation is not feasible.
- Document Decisions – Record the final rating, any mitigation actions, and the next review date in your TPRM tool or risk register.
Key Takeaways
- A structured questionnaire speeds up vendor risk onboarding and creates a repeatable evidence trail.
- Scoring and tiering let you focus resources on the vendors that pose the greatest risk.
- Regularly revisit scores—risk profiles change as vendors adopt new technologies or face incidents.
- Pair the questionnaire with contractual clauses (right to audit, breach notification) to enforce accountability.
Next Steps
- Integrate the questionnaire into your existing procurement workflow so it becomes a mandatory checkpoint.
- Train the procurement and security teams on interpreting scores and escalating findings.
- Automate scoring where possible—use a simple spreadsheet or GRC platform to calculate risk ratings instantly.
- Review the questionnaire annually or whenever a major regulatory change occurs; keep it aligned with your organization’s risk appetite.
Conclusion
By completing this Vendor Risk Assessment Questionnaire and applying the scoring framework, you gain a clear, quantitative view of each supplier’s security posture. Use the results to prioritize remediation, negotiate stronger contractual protections, and maintain an ongoing, data‑driven third‑party risk program. Keep the questionnaire up to date, revisit it annually, and integrate it with your broader governance, risk, and compliance (GRC) processes to protect your organization from supply‑chain threats.
Version: 1.0 | Owner: GRC Team | Review Cycle: Annual or upon regulatory/framework changes