Vendor Risk Management

3 Information Security Risk Assessment Templates

Melissa Stevens | January 21, 2016

If you’re in the beginning stages of building your comprehensive vendor risk management plan, you’re likely looking for something that will help you get started with your vendor risk assessments. That’s a big task—but it doesn’t need to be daunting. Here are a few things you should know before you begin:

  • The templates below are not pre-made questionnaires that you can simply copy and paste and be done with. Rather, they are comprehensive documents with hundreds (and thousands) of possible question ideas that can be used to create a personalized vendor risk assessment questionnaire. Thus, it’s important to keep your own industry, organization, and vendors in mind as you gather pertinent security questions.
  • All three of these are examples of risk assessments that ask a series of questions about an organization’s governance and approach to cybersecurity. The first two have been put together and designed by experts with backgrounds in assessing cybersecurity practices, and all three are designed to be consumed by the masses. So while there will be a lot of material to comb through, you should be able to understand it all quite easily.
  • Creating an information security risk assessment template for your organization isn’t a quick or easy process. You can’t expect to show up to work at 9 a.m. and have your document written and completed before lunch. Instead, expect for your company’s leadership to spend many hours across several days reading through these three templates.

With that being said, let’s take a look at the CIS Critical Security Controls, the NIST Cybersecurity Framework, and our very own “40 Questions You Should Have In Your Vendor Security Assessment” ebook.

The critical questions you should be asking your vendors (and why they’re so vital to your cybersecurity).

1. CIS Critical Security Controls

Vendor Security Assessment Guide The CIS Critical Security Controls (formerly known as the SANS Top 20) was created by experts in the private sector and in government. This is a practical guide to getting started quickly and effectively with a security program and is widely considered the “gold standard” of security practices today. It was designed as a list of best practices from a technology and practices standpoint that organizations can implement to address the most critical security vulnerabilities. It was created as a response to other security risk assessments that were hundreds-of-pages long.

2. NIST Cybersecurity Framework

The NIST (National Institute of Standards and Technology) Cybersecurity Framework was created by the government and private sector as way of simplifying the security assessment and governance process. It is based on many international practices and standards, including NIST 800-53 and ISO 27001. The CIS Critical Security Controls are also reflected in this framework.

NIST is designed for owners and operators of critical infrastructure, but it can be used by anyone. The great thing about it is that it incorporates governance and technology issues, whereas the CIS Critical Security Controls is more focused on technology alone. NIST’s dual approach makes it a very popular framework.

3. “40 Questions You Should Have In Your Vendor Security Assessment” Ebook

We promised that these information security risk assessment templates would help you get started quickly, and we’re sticking by that. So if you’re looking to jump-start this process, our latest ebook is a perfect place to begin. We blended together the NIST and SANS frameworks to come up with a specific list of 40 important questions that you may consider including in your vendor questionnaire.

Of course, this ebook isn’t nearly as comprehensive as the previous templates. There are thousands of possible questions represented in the NIST and SANS templates, but it isn’t always easy to identify which are the most important. And that’s where this simplified ebook can come in handy. Once you review it, you’ll likely have a better idea of which questions are critical and why they’re vital to good cybersecurity practices.

In Conclusion

The bottom line is that if you’re tackling information security risk assessment templates, you may be overwhelmed by the mission ahead of you. But our best advice is to take a deep breath and simply get started. Again, the templates above are written in terms that most people can understand—so all you need to do is make sure the right people are in the room and get started. Best of luck!


40 Questions You Should Have In Your Vendor Security Assessment Need some assistance with the creation of your vendor security risk assessment? 

This ebook will give you a strong head start.

Suggested Posts

Third-Party Risk Management Best Practices for Enterprise

Companies are becoming increasingly reliant on third-party relationships, and cyber attacks originating in the systems of third parties are on the rise.


Airbus Incident Shines Spotlight on Third-Party Vendor Security Risks

2019 has been a year of high-profile attacks, and, as we predicted, it’s only getting worse. That’s certainly the case for Airbus.


A Vendor Risk Management Questionnaire Template

IT Risk Assessment Questions for Third Parties

Digital relationships with third-party vendors increase opportunities for growth, but they also increase opportunities for cyberattacks — a recent study found that 61% of U.S. companies said...


Subscribe to get security news and updates in your inbox.