How to Create an Information Security Questionnaire for Vendors | Reciprocity

Published January 19, 2021 by 4 min read

In this article we’ll review how to create an information security questionnaire as a means to assess vendor risk, and to protect your organization from potential cyber-threats that might use your vendors as an attack vector. 

Before we get into how to create an information security questionnaire for vendors, let’s start with what they are. 

What is an information security vendor questionnaire?

An information security questionnaire (also known as a vendor risk assessment questionnaire or vendor security assessment questionnaire) is a standardized set of questions used for the purpose of vetting vendors and managing third-party risk. It’s intended to help identify vulnerabilities posed by your third-party vendors that could pose a risk of data breach for your own organization.

There are five industry-standard security assessment templates that most organizations use to draft their questionnaires. We’ll get into how to create your own in a later section; for now, you can familiarize yourself with the foundational standards.

  • VSAQ: The Vendor Security Alliance Questionnaire was drafted in 2016 by a team of companies dedicated to improving information security. It aims to help organizations supervise their vendors’ security practices. The questionnaire has five sections: data protection, security policy, security measures, supply chain, and compliance.
  • CIS Critical Security Controls: The Center for Internet Security (CIS) is a nonprofit organization that works to protect organizations against cyber attacks. Its questionnaire is a set of 20 actions organizations should take to protect themselves from cybersecurity risks. Additionally, these security controls tie back to many of the significant compliance frameworks, such as ISO 27000, PCI DSS, and GDPR.
  • CAIQ: The Consensus Assessments Initiative Questionnaire was created by the Cloud Security Alliance (CSA) to define best practices for information security in cloud computing environments like SaaS and PaaS. This questionnaire is particularly relevant for cloud service providers.
  • SIGQ: The Standardized Information Gathering (SIG) Questionnaire was created by the Shared Assessments Program and includes resources so organizations can exercise best practices in third-party risk management. It includes sections on cybersecurity, privacy, data security, and business continuity.
  • NIST 800-171: The National Institute of Standards and Technology (NIST) provides guidance on cybersecurity best practices and standards. The NIST 800-171 standard specifically addresses protection of controlled unclassified information (CUI) for non-federal organizations. It has 14 controls that tie directly to NIST 800-53 and ISO 27001. 

Now that you know what an information security vendor questionnaire is, as well as examples of industry-recognized standards, let’s move on to why they’re important to conduct. 

Why are information security vendor questionnaires important?

Organizations must be safeguarded against data breaches and cybersecurity attacks. Those attacks can come from any direction, so CISOs need a clear understanding of the types of data generated, received, and sent between your organization and your service providers.

For example, if your organization receives, stores, or shares personally identifiable information (PII) or credit card data for a business transaction, that data can be intercepted and sold on the dark web, held for ransom, or used fraudulently.  Therefore, data protection measures are critical to protecting sensitive data and avoiding cyberattacks. 

Through vendor risk assessment questionnaires, you can build robust third-party risk management (TPRM) and information security policies to protect the entire lifecycle of data used by your business—even when that data is in the hands of your vendors directly, or your vendors have access to your corporate networks.

How do you build an information security vendor questionnaire?

We recommend using one of the industry-standard questionnaires we shared earlier. Select one that seems like a good fit generally, and then tailor the questions to suit your organization’s specific requirements. 

Remember: it’s imperative that you tailor the questionnaire to gain a clear picture of your vendor’s data security measures. Also understand that this questionnaire is only one part of a larger effort your organization should make to monitor your vendors. 

What Information security and privacy questions should I use on my questionnaire?

To get you started, we’ve included a four-section template for your information security vendor questionnaire, as well as some examples of questions you might include in those sections.

Information security 

  • Does your company use a security program? 
  • If so, what standards do you use to define your program?
  • Does your InfoSec and privacy program cover all operations, services, and systems that handle sensitive data?

Physical security 

  • Is your physical network equipment secured? 
  • If so, what measures are in place to secure your equipment?
  • Do you have a business continuity plan in the event that your office becomes inaccessible?

Web application security

  • Do you have a method in place to identify and report vulnerabilities in your web application?
  • Does your application have a valid SSL certificate?
  • What are your user password requirements?

Infrastructure security

  • How do you keep your server operating systems maintained and patched?
  • Do you have a method in place for identifying and logging security events?
  • Do you have backups of your data? If so, how do you manage and store backups?

What are the downsides of information security vendor questionnaires?

While these questionnaires are vital to your overall InfoSec program, it’s also true that they can be complex and difficult to build and administer. For this reason, organizations often invest in tools to help automate much of the vendor risk assessment process. 

This is particularly important because the questionnaire itself only provides a small glimpse into your overall vulnerability to cyberattacks and data breaches. 

As technology rapidly evolves and your supply chain changes, your security risk does too. As your organization grows, manual management becomes unsustainable. You need the right tools to help your organization evolve at the same rate your risks are.

Your security team needs a tool to automate and scale the processing of vendor cybersecurity risk assessments, and to validate their claims regarding their own security standards.

How ZenGRC can Automate Your Information Security Vendor Risk Management

ZenGRC is a cloud-based and on-premises governance, risk, and compliance (GRC) management solution. 

It serves businesses of all sizes in any industry, including technology, retail, consumer goods, health care, and finance. Primary features include audit management, compliance management, contract and policy management, risk assessment, reporting, and vendor management.

With ZenGRC, you can assess and compare vendors by individual responses and risk scores over time and easily report insights to management. 

When it’s time to evaluate a potential vendor, ZenGRC can create a more efficient and less manual risk-based approach to vendor management by defining actions for specific questions, which may spawn multiple workflows to ensure issues are addressed. 

Stress-free vendor management is the Zen way! Learn more by booking a demo today.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Get a demo