EFROS

Resource

Vendor Risk Questionnaire

Sixty questions across four sections (security controls, compliance and audit, data handling and privacy, business continuity and incident notification). This is the working questionnaire we use on third-party risk assessments. It is deliberately shorter than SIG or CAIQ so the answers come back in weeks, not months, and every question earns its place. Use it as-is, or cut it further to match the risk tier of the vendor you are evaluating.

By Stefan Efros, CEO & Founder, EFROSReviewed by Daniel Agrici, Chief Security Officer, EFROS
Reviewed by CSO ·

Why most vendor risk programs fail

Most vendor risk programs fail in one of two ways. Either they are too small to matter (a one-page attestation that every vendor passes in a day) or they are so large they collapse under their own weight (a 400-question SIG Core that takes the vendor three months to answer, by which point the procurement deadline has passed and the questionnaire is approved on faith). The useful middle is a targeted instrument that captures the signals that actually differentiate a safe vendor from a risky one, and that a vendor can answer in a reasonable number of business days.

The second failure mode is treating a completed questionnaire as a decision. A questionnaire is a starting point. It documents what the vendor asserts. The decision is made by comparing the answers to supporting evidence (SOC 2 reports, penetration test summaries, architecture diagrams) and by following up on the questions that the vendor skipped, hedged, or answered in marketing language rather than operational terms. The questionnaire is diagnostic, not conclusive.

The third failure mode is one-and-done assessment. Vendors change. Products change. The risk posture a vendor had at onboarding will differ from the posture a year later. Any program worth running has a re-assessment cadence keyed to the data and criticality of the relationship. Highly sensitive vendors re-assess annually at minimum. Critical vendors re-assess every six months.

For the broader regulatory context on third-party oversight, see the FFIEC IT Examination Handbook, particularly the Outsourcing Technology Services and Third-Party Relationships booklets, and the NIST work on cybersecurity supply-chain risk management.

How to use this questionnaire

Tier the vendor first. A marketing SaaS that never touches customer data is a different risk conversation from a processor that sees full customer records. Assign tiers based on data category, access scope, and operational criticality. The 60 questions below are sized for a tier-1 or tier-2 vendor (vendors with access to customer data or production systems). For tier-3 vendors (no sensitive access), subset the questions heavily. For tier-0 vendors where failure would halt the business, supplement with an architecture review and an executive reference call.

Send the questionnaire with a clear deadline and clear format expectations. Ask for evidence attachments where the answer references an artifact (SOC 2 report, pen test summary, BCP test results). Do not accept answers like "yes" without the supporting document. A vendor that cannot produce the evidence within two weeks is a vendor whose program is not operating at the level their marketing suggests.

Map answers to a scoring model that forces a decision. Risk-accept, risk-mitigate-then-accept, or reject. The instrument is useful only if it resolves to an action. See the scoring guidance later in this page.

If your organization relies on vCISO support for vendor reviews, share the completed questionnaire and the vendor's supporting evidence with the reviewer at the same time. The questionnaire alone is diagnostic, and the value of an experienced reviewer is in how they read the answers alongside the evidence.

Section A: Security controls (15 questions)

  1. A1. Is MFA enforced for all employees with access to customer data or production systems? If so, which factors are supported, and is phishing-resistant MFA (FIDO2, WebAuthn, hardware) available for privileged roles?
  2. A2. Describe the identity provider architecture. Is SSO federation used for employee access to internal SaaS? Are service accounts inventoried and rotated?
  3. A3. How is privileged access granted, monitored, and revoked? Is session recording in place for administrative sessions on production systems?
  4. A4. How frequently are user access reviews performed, and on which systems? Provide the most recent review attestation.
  5. A5. Describe endpoint protection (EDR, MDM) deployed on corporate devices. What coverage percentage do you maintain?
  6. A6. Describe vulnerability management. What scanning frequency do you run on infrastructure and applications? What are your remediation SLAs by severity?
  7. A7. When was the last penetration test performed, by whom, and on what scope? Can you share a summary or executive letter?
  8. A8. How is encryption handled in transit and at rest for customer data? Which cryptographic standards are used, and is key management HSM-backed?
  9. A9. Describe the SIEM or centralized logging architecture. What events are collected, and what is the retention period?
  10. A10. Describe network segmentation between production, corporate, and development environments.
  11. A11. How are secrets (API keys, database credentials) managed? Are they stored in a secrets manager with rotation?
  12. A12. What is the security architecture for public-facing applications (WAF, DDoS protection, rate limiting)?
  13. A13. How is code reviewed and tested before it reaches production? Are branch protections in place on production branches?
  14. A14. Describe your data loss prevention approach for sensitive data moving through email, cloud storage, and endpoint channels.
  15. A15. How often do you conduct security awareness training, and what role-based training is provided to engineers and privileged operators?

Section B: Compliance and audit (15 questions)

  1. B1. Do you hold a current SOC 2 Type II report? Which Trust Services Criteria are in scope, and over what observation window?
  2. B2. Do you hold ISO/IEC 27001 certification? What is the scope of the ISMS, and when is the next surveillance audit?
  3. B3. Do you hold any sector-specific attestations (HITRUST, PCI DSS, FedRAMP, CMMC, HIPAA third-party attestations)? Describe scope and currency.
  4. B4. Provide the bridge letter covering the period between the latest SOC 2 report and today, if applicable.
  5. B5. Do you permit customer audits? What is the typical scope and notice period?
  6. B6. Describe your approach to regulatory change management. Who owns regulatory tracking, and how is it fed into the control program?
  7. B7. Have you had any material findings in the past 24 months in external audits? If yes, summarize and describe remediation.
  8. B8. Are you currently under any regulatory action, consent decree, or enforcement matter relevant to this engagement?
  9. B9. Do you maintain a Business Associate Agreement-ready process if regulated data (PHI, financial) is in scope?
  10. B10. Provide the most recent penetration test executive summary and any independent attestation letter.
  11. B11. Describe your privacy program. Do you maintain records of processing activities? Are Data Processing Agreements in place with sub-processors?
  12. B12. How do you handle cross-border data transfers? What legal mechanisms do you rely on (SCCs, adequacy decisions, consent)?
  13. B13. Describe your subcontractor and sub-processor oversight. How often are they assessed, and what evidence do you retain?
  14. B14. Do you publish a Vulnerability Disclosure Policy or run a bug bounty? What is the median time to remediate reported findings?
  15. B15. Describe the governance structure: who is accountable for the security and compliance program, and what reporting cadence reaches executive leadership?

Section C: Data handling and privacy (15 questions)

  1. C1. What customer data categories will you process under this engagement (PII, PHI, PCI, CUI, other sensitive)?
  2. C2. Where is customer data stored geographically, including backups? Identify the cloud provider, region, and any third-party storage used.
  3. C3. What is the data retention period for customer data, and how is deletion confirmed on contract termination?
  4. C4. How is customer data isolated from other tenants (logical, cryptographic, physical)?
  5. C5. Describe your data classification scheme and how customer data is classified within it.
  6. C6. Who within your organization has access to customer data by default? How is access justified and logged?
  7. C7. Do you use customer data for any purpose beyond delivering the contracted service (training models, analytics, benchmarking)? If so, describe the legal basis and opt-out.
  8. C8. Describe your approach to personal data subject rights (access, deletion, correction) and typical response timelines.
  9. C9. What technical controls prevent data exfiltration (DLP, egress filtering, endpoint controls)?
  10. C10. How are database backups encrypted, retained, and access-controlled?
  11. C11. Describe the secure destruction procedure for storage media, including decommissioned cloud resources.
  12. C12. Do you support customer-managed encryption keys (BYOK) or hold-your-own-key arrangements?
  13. C13. What pseudonymization or tokenization is applied to sensitive fields (PII, PCI) at rest and in logs?
  14. C14. How are logs containing customer data protected? Are sensitive fields redacted before log retention?
  15. C15. Describe your approach to data portability and return on contract termination.

Section D: Business continuity and incident notification (15 questions)

  1. D1. Describe your incident response plan. When was it last updated and last tested?
  2. D2. What is the notification timeline for a security incident that may affect customer data? Provide the contractual commitment.
  3. D3. Who is the designated incident notification contact, and is there a 24x7 channel for customer security teams?
  4. D4. Describe recent security incidents in the past 24 months that affected customer data. What was the root cause and remediation?
  5. D5. Do you maintain cyber insurance? What coverage limits apply, and are customer first-party losses addressable under the policy?
  6. D6. Describe your business continuity plan. What is the last BCP test date, and what were the results?
  7. D7. What are your published RTO and RPO commitments for critical services?
  8. D8. Describe your disaster recovery architecture (multi-AZ, multi-region, provider-independent failover).
  9. D9. When was the last DR failover test, and what was the observed recovery time?
  10. D10. Describe your dependency on single-provider infrastructure (hyperscale cloud, single CDN, single DNS provider).
  11. D11. What is your communication procedure to customers during a prolonged outage?
  12. D12. Describe your approach to pandemic, regional, and workforce-disruption scenarios.
  13. D13. Describe your key-personnel risk management. Is there documented succession for critical security and engineering roles?
  14. D14. What is the escalation path for a supply-chain compromise affecting your product or its dependencies?
  15. D15. Describe your approach to tabletop exercises. How often do you run them, and do customers have visibility to the scenarios tested?

Scoring and risk tiering model

Every answer receives one of four scores. Satisfactory (the answer is substantive and supported by evidence). Satisfactory-with-caveat (the answer is substantive but supporting evidence is dated or partial). Concern (the answer is hedged, incomplete, or the vendor declines to provide detail). Disqualifying (the vendor acknowledges a control gap that is a line item for your program).

Each concern-or-worse finding has a follow-up question in writing. Follow-up answers either upgrade the score or produce a risk item that feeds the contract negotiation. An unresolved concern is either closed with a contractual mitigation (indemnification, specific SLAs, cyber insurance requirement), treated as accepted risk with documented executive approval, or escalated to a rejection.

Assign a composite score per section. A vendor with multiple concerns across two sections is a different risk profile than one with a single disqualifying finding in one section. Use the section scores to drive the decision conversation with the business owner: the vendor is approved, approved with conditions, or declined, and the reasoning is specific enough to revisit at renewal.

For financially regulated environments see financial services for the additional supervisory expectations. Banking regulators and insurance commissioners increasingly expect evidence that third-party programs produce decisions rather than files.

Follow-up and evidence expectations

Evidence requests follow the questionnaire return. The minimum evidence bundle for a tier-1 or tier-2 vendor includes the current SOC 2 Type II report (or equivalent attestation), a penetration test executive summary from the last 12 months, the information security policy, the business continuity plan summary, and the data flow diagram showing where customer data resides and which sub-processors touch it. For a primer on SOC 2 itself see the SOC 2 readiness checklist and the SOC 2 Type II compliance guide.

Read the SOC 2 report with attention. The opinion paragraph is the headline, but the exceptions in the description of tests section are where real findings live. A report with no exceptions is either unusually clean or the observation window was too short to catch real operating events. Either way, ask the vendor about the exceptions list and how remediation closed out.

Treat ISO 27001 certification as a signal, not a conclusion. The scope of the ISMS can be narrow. Read the certification scope statement and compare it to the service you are buying. A certification that excludes the product you are purchasing is of limited value.

Reference the Shared Assessments SIG (Standardized Information Gathering) for a much longer instrument when a vendor is critical enough to warrant it. Use SIG Core or SIG Lite when the relationship justifies the effort. For most tier-2 vendors, the 60 questions above produce the same decision with a fraction of the back-and-forth.

Get help applying this