If you’re developing a vendor risk management (VRM) plan from scratch or looking to scale your existing program, a cybersecurity IT risk assessment template can help you get started.
Fortunately, you have options. In this blog, we’ve listed several templates, frameworks, and checklists that can help you create a personalized vendor cybersecurity IT risk assessment questionnaire. Each of these resources provides examples of vendor risk assessments and include a series of questions that can help probe your third parties’ governance and approach to cybersecurity.
What is a cybersecurity IT risk assessment?
When you onboard new vendors, you also assume any cyber risk associated with that organization. And that risk is growing. Today, 62 percent of network intrusions that organizations experience originate with a third-party.
It’s essential that you develop ways to assess vendor risk—both during the onboarding process and for the life of the relationship.
Because most companies work with dozens if not hundreds of vendors, a useful starting point is to tier your vendors according to their criticality to your business and level of access they have to sensitive data. Then, perform the appropriate assessment according to risk. This ensures you’re focusing your resources where they are most needed and not introducing roadblocks into the onboarding or annual security assessment process.
Cybersecurity IT risk assessment templates
There are several industry-standard cyber risk assessment templates you can leverage to screen your vendors.
1. CIS Critical Security Controls
The Center for Internet Security (CIS) has developed a set of 18 standards—known as CIS Critical Security Controls—you can use to gauge the effectiveness of your own and your vendors’ cybersecurity programs.
The controls are prioritized into three implementation groups (IGs). Each IG identifies a set of safeguards that organizations should implement based on their risk profiles and available resources. The controls include best practices such as actively inventorying enterprise assets, establishing and maintaining the secure configuration of these assets, managing user credentials, continuous vulnerability management, and more.
Although not a template per se, CIS Critical Security Controls are easy-to-understand and a useful baseline for building any vendor checklist. Read more in: CIS Critical Security Controls: What are They and How Can You Meet These Standards?
2. NIST cybersecurity framework
The NIST Cybersecurity Framework is intended to simplify any security assessment and governance process. It is based on many international practices and standards, including NIST 800-53 and ISO 27001. The CIS Critical Security Controls are also reflected in this framework.
The NIST framework is available in PDF or Excel in a matrix format, making it easy to adapt or incorporate into a vendor IT risk assessment template. NIST also provides a Quick Start Guide with direction on how to use the framework.
The great thing about NIST’s framework is that it incorporates governance and technology issues, whereas the CIS Critical Security Controls is more focused on technology alone. NIST’s dual approach makes it one of the very popular cybersecurity frameworks.
Useful tools and resources to help you get started
CIS and NIST frameworks are invaluable for developing a cybersecurity IT risk assessment template. If you’re looking to jumpstart the process, we’ve assembled several resources and tools that can help.
- How to Create a Vendor Risk Management Checklist: Use it to capture relevant information from your vendors during the onboarding process. The checklist can help you assess your vendor risk assessment protocols, security controls, incident response plans, and governance.
- 40 Questions You Should Have in Your Vendor Cybersecurity IT Risk Assessment: We blended the NIST and SANS frameworks to come up with a specific list of 40 important questions you may consider including in your vendor questionnaire.
- Vendor Due Diligence Checklist: 5 Steps to Selecting a Third-Party: Because vendor risk extends beyond cyber risk, we created a due diligence checklist that includes baseline information your risk assessment template should capture about your vendors to better inform procurement decision-making.
Don’t stop there. Continuously assess and manage risk
As your vendor portfolio grows, effective VRM is essential. Rather than rely on point-in-time security assessments or audits, you must continuously monitor your vendors’ security postures.
Bitsight VRM is a scalable, end-to-end VRM program that continually detects, monitors, and mitigates vendor risk. It goes beyond initial assessments and checklists to constantly assess and act on vendor risk. It also aligns seamlessly to business growth, handling thousands of vendors as efficiently as ten.
Learn more about how Bitsight VRM provides unmatched visibility into your digital supply chain, measuring and monitoring third-party security controls, and aligning your VRM program to your risk tolerance and organizational goals.