Vendor Risk Management

3 Cybersecurity IT Risk Assessment Templates

Brian Thomas | October 3, 2019

This post was originally published January 21, 2016 and has been updated for accuracy and comprehensiveness

If you’re in the beginning stages of building your comprehensive vendor risk management plan, you’re likely looking for something that will help you get started with your vendor risk assessments. That’s a big task—but it doesn’t need to be daunting. 

In this blog we’ve included templates that can help you create a personalized vendor cybersecurity IT risk assessment questionnaire. Each of these resources provide examples of vendor risk assessments and include a series of questions that can help probe an organization’s governance and approach to cybersecurity. 

Developed by experts with backgrounds in cybersecurity IT risk assessment, each template is easy to understand. There are, however, no quick fixes. Personalizing your cybersecurity IT risk assessment template requires careful thought and planning by your organization’s security, risk management, and executive leaders. 

What is a Cybersecurity IT Risk Assessment?

When it comes to improving cybersecurity at your organization, there are some fixes that you can undertake with very little preparation. More robust remediation efforts, however, usually start with a cybersecurity IT risk assessment.

Risk assessment involves taking steps to understand any flaws or vulnerabilities in your network, and what steps you can take to remediate them. It’s important because it ensures you focus your energies on choosing the right controls that are appropriate to the risk faced by your organization or industry.

It’s possible to do your own assessment, or you can outsource it to third-party consultants who perform assessments sometimes as a stand-alone service and sometimes as the first step in a larger end-to-end cybersecurity engagement. 

Cybersecurity Risk Assessment Templates

Let’s take a look at the CIS Critical Security Controls, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and our very own “40 Questions You Should Have In Your Vendor Security Assessment” ebook.

1. CIS Critical Security Controls

The CIS Critical Security Controls (formerly known as the SANS Top 20) was created by public and private sector experts. This practical guide to getting started quickly and effectively with a security program is widely considered the “gold standard” of security practices today. It was designed as a list of technology best practices that organizations can implement to address their most critical cybersecurity vulnerabilities.

2. NIST Cybersecurity Framework

Another public and private sector collaboration, the NIST Cybersecurity Framework was developed  with the goal of simplifying the security assessment and governance process. It is based on many international practices and standards, including NIST 800-53 and ISO 27001. The CIS Critical Security Controls are also reflected in this framework.

NIST is designed for owners and operators of critical infrastructure, but it can be used by anyone. The great thing about it is that it incorporates governance and technology issues, whereas the CIS Critical Security Controls is more focused on technology alone. NIST’s dual approach makes it a very popular framework.

3. eBook: 40 Questions You Should Have In Your Vendor Cybersecurity IT Risk Assessment

We promised that these cybersecurity IT risk assessment templates would help you get started quickly, and we’re sticking by that. So if you’re looking to jump-start this process, our eBook — 40 Questions You Should Have in Your Vendor Cybersecurity IT Risk Assessment — is a perfect place to begin. We blended together the NIST and SANS frameworks to come up with a specific list of 40 important questions that you may consider including in your vendor questionnaire.

Of course, this eBook isn’t nearly as comprehensive as the previous templates. There are thousands of possible questions represented in the NIST and SANS templates, but it isn’t always easy to identify which are the most important. And that’s where this simplified ebook can come in handy. Once you review it, you’ll likely have a better idea of which questions are critical and why they’re vital to good cybersecurity management and monitoring practices.

In Conclusion

The bottom line is that if you’re tackling cybersecurity IT risk assessment, you may be overwhelmed by the mission ahead of you. But our best advice is to take a deep breath and simply get started., The templates above are written in terms that most people can understand—so all you need to do is make sure the right people are in the room and get started. Best of luck!

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


FBI Alerts Companies of Cyber Attacks Aimed at Supply Chains

Earlier this month, ZDNet broke the news that the FBI had sent a cybersecurity alert to the U.S. private sector warning of an ongoing hacking campaign against supply chain software providers. According to the FBI, hackers are attempting to...


Guide: Fourth-Party Cyber Risk & Management

In today’s interconnected world, supply chains are growing exponentially. As a result, third-party risk has become a big focus for senior management. But what about the vendors that your suppliers rely on and the threat of fourth-party...


Subscribe to get security news and updates in your inbox.