A Vendor Risk Management Questionnaire Template

IT Risk Assessment Questions for Third Parties

Digital relationships with third-party vendors increase opportunities for growth, but they also increase opportunities for cyberattacks — a recent study found that 61% of U.S. companies said they have experienced a data breach caused by one of their vendors or third parties (up 12% since 2016). 

Can vendor risk management questionnaires keep you adequately informed about your third-party risk?

A vendor risk management questionnaire (also known as a third-party risk assessment questionnaire or vendor risk assessment questionnaire) is designed to help organizations identify potential weaknesses among vendors and partners that could result in a breach.

Unfortunately, questionnaires can only offer a snapshot of a vendor’s cybersecurity posture. Systems change, departments are outsourced, and policies are rewritten, so the risk presented by a single vendor is constantly shifting.

If you plan to scale, a sustainable third-party risk management (TPRM) program needs to include more than just questionnaires. Risk should be monitored on a continuous basis, using tools such as security ratings to keep your organization up to date on your vendors’ shifting risk positions.

Still, questionnaires have a place in the third-party risk management ecosystem that’s unlikely to change, particularly during the onboarding process. According to a 2018 EY study, 72% of companies use industry-standard questionnaires (or have built their own by using a standard as a baseline). 

In this blog post, we’ll give you a basic third-party risk assessment template, and provide you with some sample questions to work from.

Where to start

No two organizations are exactly alike, and the same applies to vendors. Therefore, questionnaires should ideally be tailored not only to your particular industry, but to each vendor as well. Considering which (and how much) data each vendor has access to, in addition to past performance indicators, can help you customize security questions.

There are standard best practices to use as a starting point for the high-level items in your questionnaires. Here are three industry-standard security assessment methodologies you can start with:

1. The SANS (System Administration, Networking, and Security Institute) Top 20 Critical Security Controls — a short list of controls developed by security experts based on practices that are known to be effective in reducing cyber risks.
2. The NIST (National Institute of Standards and Technology) Framework for Improving Critical Infrastructure Cybersecurity — combines a variety of cybersecurity standards and best practices together in one understandable document.
3. Shared Assessments — an organization that develops assessment questionnaires for use by its members.

You can extract thousands of potential questions from these cybersecurity frameworks, and alter them to align with your organization’s priorities. Make sure that your questionnaire also covers any additional areas of concern for your particular industry, such as compliance with specific federal and state laws and regulations.

Vendor risk assessment template

Here are some questions from a sample vendor management questionnaire, broken up by topic:

Governance and Organizational Structure

1. Who is responsible for cybersecurity within the organization?
2. Is there a chief information security officer (CISO)?
3. Is there a cross-organizational committee that meets regularly on cybersecurity issues?
4. Have you participated in a cybersecurity exercise with your senior executives?
5. How do you prioritize your organization’s most critical assets?
6. How do you specifically protect customer information?
7. Have you ever experienced a significant cybersecurity incident? Please define and describe it.
8. What types of cybersecurity policies do you have in place in your organization today?
9. Do you outsource any IT or IT security functions to third-party service providers? If so, who are they, what do they do, and what type of access do they have?
10. How frequently are your employees trained on your IT security policies, and do you use automated assessments?

Security Controls and Technology

1. How do you inventory authorized and unauthorized devices and software?
2. Have you developed secure configurations for hardware and software?
3. How do you assess the security of the software that you develop and acquire?
4. What processes do you use to monitor the security of your wireless networks?
5. Do you have data recovery capabilities?
6. Do you have automated tools that continuously monitor to ensure malicious software is not deployed?
7. Describe the processes and tools you use to reduce and control administrative privileges.
8. What processes do you have in place to prevent the exfiltration of sensitive data, particularly sensitive customer data like ours?
9. How do you plan and prepare for a cybersecurity incident? What processes do you have in place to respond to an incident? Do you regularly practice those things?
10. Do you conduct regular external and internal tests to identify vulnerabilities and attack vectors, including penetration testing, red team exercises, or vulnerability scanning?
11. From whom do you receive cyber threat and cyber vulnerability information and how do you use that information?
12. How do you manage remote access to your corporate network?
13. Do you have a removable media policy and controls to implement the policy?
14. How do you monitor for unauthorized personnel, connections, devices, and software?
15. Describe the process you have in place to communicate to us security incidents affecting our data.

Need more sample questions? Download our ebook, 40 Questions You Should Have in Your Vendor Security Assessment.

The future of vendor risk management questionnaires

Questionnaires have historically been a vital part of cybersecurity, but now the industry has to adapt to even more complex, rapidly evolving cyber risks.

Vendor management questionnaires are just one component of a robust, multifaceted TPRM program. They can’t provide a complete picture of third-party risk, and should be supplemented with other solutions as the cyber risk landscape continues to change. 

With a comprehensive and consistent third-party risk management strategy, organizations can identify potential third-party vulnerabilities and mitigate risk.