The top 5 vendor risk assessment questionnaires for 2023
Contents
A vendor risk assessment questionnaire is a highly effective tool for organizations to identify any potential risks posed by their outside vendors. This kind of questionnaire aims to highlight any security threats or vulnerabilities that could potentially compromise the safety and integrity of the company's data.
Third-party risk management, or TPRM, can be a time-consuming task for any organisation – but it’s critical that you get it right. Developing a bespoke risk assessment process that is tailored specifically to the threats posed by your vendors will help ensure your organisation’s cybersecurity preparedness and the protection of its critical assets.
You can do this by making it a requirement for each of your potential vendors to complete a security questionnaire.
If you’re not sure where to start, don’t worry. When it comes to selecting the right vendor risk assessment questionnaire for each of your vendors, there are many options available to you. You can create a new questionnaire for each vendor, you can re-use existing questionnaires, or you can take advantage of best-practice guidance created by a number of industry-leading organisations.
Top vendor risk assessment questionnaires
To help you get started in developing or improving your TPRM program, we’ve compiled a list of five of the top cyber security vendor questionnaires used in IT vendor security assessments in 2019, in alphabetical order. These supplier security questionnaires can be used in the vendor risk assessment process.
1. Center for Internet Security — CIS Critical Security Controls (CSC)
2. Cloud Security Alliance — Consensus Assessments Initiative Questionnaire (CAIQ)
3. National Institute of Standards and Technology — NIST SP 800–53
4. Shared Assessments Group — Standardized Information Gathering Questionnaire (SIG)
5. Vendor Security Alliance — VSA Questionnaire (VSAQ)
What questions should be in a vendor risk assessment questionnaire?
Questions can range from enquiries about external threats, internal processes such as password changes and patch management, and inquiries around who holds responsibility for ensuring security measures are compliant. When planning questions about a vendor’s security practices, make sure to cover your bases fully.
Center for Internet Security — CIS Critical Security Controls
The Center for Internet Security (CIS) is a non-profit entity with a global IT community mobilized to protect both public and private organisations from cyber threats. They want to help the wider community tackle issues of internet security, with the appropriate priorities and understanding of industry best practices to back them up.
What is the questionnaire?
The Center for Internet Security provides 20 controls, that provide a framework for how to address critical security systems and the flow of data when fighting off cybersecurity threats. Because the CIS controls stem from a deep understanding of the cyber-attackers' lifecycle, they cover the most common manifestations of these threats and how to adjust defensive action and processes accordingly. It provides a strong baseline for how to proceed in times of need but also removes the reliance of any single individual in the risk-remediation process.
The CIS Controls contain over 150 questions mapped to incorporate a number of widely-recognised cybersecurity standards and regulatory frameworks, including NIST 800–53, ISO 27000, PCI DSS, and COBIT.
Cloud Security Alliance — Consensus Assessments Initiative Questionnaire (CAIQ)
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to ensure a secure cloud computing environment and to promote the secure adoption of cloud computing.
https://cloudsecurityalliance.org/
What is the questionnaire?
The Consensus Assessments Initiative Questionnaire (CAIQ) is a survey provided by the CSA for cloud consumers and auditors to assess the security capabilities of a cloud service provider. The questionnaire gives customers of cloud services greater transparency regarding information from their cloud service providers. Particularly, how these technologies and tactics are being implemented, data protection and risk management focus, as well as their implementation plans.
CAIQ questionnaires can be adjusted for the needs of each individual user and are intended to be used with CSA Guidance and Cloud Controls Matrix (CCM). CAIQ consists of a series of Yes/No questions that distil issues, best practices and control specifications from CSA Guidance and CCM. CAIQ aims to create common industry standards to document security controls in infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and software-as-a-service (SaaS) operations. The current version of the CAIQ boasts nearly 300 different questions across numerous risk domains.
The National Institute of Standards and Technology applies practical cybersecurity and privacy expertise through outreach and the implementation of standards and best practices, to adapt to the latest changes in the world of technology.
What is the questionnaire?
NIST Special Publication 800-53 is a set of standards and guidelines to help federal agencies and contractors meet the requirements set by the Federal Information Security Management Act (FISMA). The objective of NIST SP 800-53 is to provide a holistic approach to information security and risk management by providing organisations with the breadth and depth of security controls necessary to fundamentally strengthen their information systems and the environments in which those systems operate—contributing to systems that are more resilient in the face of cyber-attacks and other threats.
The NIST catalogue of controls supports the development of secure and resilient federal information systems. These controls are the operational, technical, and management safeguards used by information systems to maintain the integrity, confidentiality, and security of federal information systems.
Shared Assessments Group — Standardized Information Gathering Questionnaire (SIG Core/SIG-Lite)
The Shared Assessments Program is ‘the trusted source for third party risk management’. They offer extensive resources, tools and best practices to effectively manage the critical elements of the vendor risk management lifecycle.
https://sharedassessments.org/
What is the questionnaire?
The SIG questionnaire by the Shared Assessments Groups is a holistic tool for risk management assessments of cybersecurity, IT, privacy, data security and business resiliency in an information technology environment.
SIG Lite (almost 200 questions) provides a ‘broad but high-level understanding about an Assessee’s internal information security controls.’ This is best for parties that only require a basic level of due diligence, or as an initial benchmark before engaging in a more in-depth assessment.
On the other hand, SIG Core (over 1200 questions) is a more comprehensive assessment designed to assess service providers that store and/or manage highly sensitive data. This is meant to provide a greater understanding of how data is treated and secured end-to-end by a service provider. Core is also mapped to a number of other recognised cybersecurity standards and meets the needs of almost all these assessments.
Vendor Security Alliance — VSA Questionnaire (VSAQ)
The Vendor Security Alliance (VSA) is a not-for-profit committed to improving general Internet security and common vendor-related cybersecurity practices. They recognise the importance of community and the need for widespread awareness in fighting these ever-changing digital threats.
https://www.vendorsecurityalliance.org/
What is the questionnaire?
The Vendor Security Alliance Questionnaire (VSAQ) was first created by a coalition of companies to monitor supplier security practices. Now, the VSAQ is recognised as an industry-leading resource for evaluating third-party cybersecurity and streamlining vendor security compliance. The questionnaire has been expanded to seven different sections to accommodate the potential sources of vendor risk, such as:
– Data protection and access controls
– Security policies and procedures
– Proactive security measures
– Reactive security measures
– Software supply chain management
– Customer-facing application security
– Compliance
Choosing the right cyber security vendor questionnaire
The problem generally isn’t that we don’t have the capabilities to fight these incidents, but it’s that we are crippled by how much we need to manage to remain secure. As such, it is crucial that you choose the right questionnaire from the top vendor questionnaires covered in this blog. Security questionnaires are an important tool for your organisation’s TPRM program.
Having said that, security questionnaires continue to improve and become more readily available, so you shouldn’t worry about feeling ‘locked in’ with whichever one you choose. In fact, most of the questionnaires identified in this post are regularly reviewed and updated by experts in the fields of cybersecurity, information security, compliance and risk.
Once you’ve selected a questionnaire or framework to assess and manage third-party risk, 6clicks can help you implement it for maximum success.
The power of 6clicks and the supplier security questionnaires
The 6clicks platform offers users fully licensed versions of these vendor security controls, ready for organisations to harness immediately.
With 6clicks, organisations can access, refine and distribute digitised versions of each of these questionnaires, while also leveraging the benefits of integrated risk assessment data.
Controls can be refined to suit the bespoke requirements of your industry or business but can also be programmed with conditional logic for controls that require it – such as the SIG questionnaires. Each question allows for responses to yes/no and long-form questions, as well as custom response options, where any relevant evidence or documentation can be easily attached.
When sent, each questionnaire is completed as a digital risk assessment, with a unique URL for each of your third parties – allowing for data to inform analytics and required compliance remediation.
See how 6clicks brings together content, AI, and automation to simplify GRC. Take a tour of our platform to see the magic in action.
