IT Risk Assessment Template: 40 Questions To Ask Your Vendors

This post was originally published November 12, 2015 and has been updated for accuracy and comprehensiveness

There are so many necessary steps involved in creating a comprehensive vendor risk management (VRM) program. Since we understand how much of a time investment it is to get your VRM program up and running — and because we acknowledge that vendor cybersecurity should be a top priority — we’ve created this guide that offers 40 questions ask your vendors and a cybersecurity IT risk assessment template.

Why Create a Cybersecurity IT Risk Assessment?

You know that understanding the cybersecurity posture of your vendors is vital when you’re getting involved in third-party business relationships. If you want to create a scalable and sustainable vendor risk management (VRM) program, it’s important to include a security risk assessment component.

But what you may not know is which high-level questions you should consider including in your vendor security assessment. You’re probably wondering what to include, which frameworks to use, and why you should be including certain questions and not others. These are all valid concerns!

Our goal is to help you get started with the creation of your vendor security risk assessment so you can establish a third-party risk management program that you can feel confident in. This is not intended to be an out-of-box security assessment solution, but rather, a guide to get you headed in the right direction. We’ll explain the top three frameworks you should be examining, questions you may want to consider (and why you should consider them), and what else to include in your VRM program.

Getting Started With Your Cybersecurity IT Risk Assessment Template

Every organization — and every vendor — is unique. Thus, many circumstances will warrant the creation of customized cybersecurity risk assessment questionnaires. But we suggest relying on the expertise of others for high-level questions (rather than reinventing the wheel yourself) and using industry-accepted best practices as a starting point for your cyber risk assessment.

There are three industry-standard security assessment methodologies you can start with:

1. The SANS (System Administration, Networking, and Security Institute) Top 20 Critical Security Controls — a short list of controls developed by security experts based on practices that are known to be effective in reducing cyber risks.
2. The NIST (National Institute of Standards and Technology) Framework for Improving Critical Infrastructure Cybersecurity — combines a variety of cybersecurity standards and best practices together in one understandable document.
3. Shared Assessments — an organization that develops cybersecurity IT risk assessment questionnaires for use by its members.

Between these three methodologies, there are literally thousands of questions that you could use. For instance, if you go to the SANS Top 20 Critical Security Controls page and select “Malware Defenses,” there are 11 items beneath it that could all represent their own separate questions. Of course, we can’t fit all of that information here. The idea behind this guide is to give you an idea of the high-level, critical questions you should consider asking your vendors in your risk assessment.

40 Questions You Should Have In Your Vendor Cybersecurity IT Risk Assessment

From governance and organizational structure to security controls and technology, this ebook will walk you through the high-level questions you shouldn’t leave out of your vendor cybersecurity IT risk assessment. Additionally, we’ve provided important context around every question in the ebook, so you can understand why we’ve included these questions and why including them in your IT risk assessment template may be a good idea.

Some sample questions include:

1. Have you participated in a cybersecurity exercise with your senior executives?
2. When was the last time you had a cybersecurity risk assessment performed by a third-party organization? What were the results?
3. Do you have automated tools that continuously monitor to ensure malicious software is not deployed?

In this ebook, we also answer tough questions about whether a security risk assessment alone offers enough visibility into your vendor and how you can make sure your security program is effective.