Overview
Every third-party relationship introduces risk. Suppliers, partners, and service providers all have access to something valuable: your data, your systems, or your customers. This questionnaire provides a standardized way to evaluate the security, privacy, and business continuity capabilities of any third party before onboarding and throughout the relationship lifecycle.
Questionnaire Sections
- Company profile and business context
- Information security governance and policy framework
- Data handling, classification, and protection practices
- Access control and authentication mechanisms
- Network architecture and perimeter security
- Vulnerability management and patching cadence
- Incident response capabilities and breach history
- Business continuity and disaster recovery planning
- Compliance certifications and regulatory obligations
- Subcontractor and fourth-party management practices
Risk Scoring Model
| Domain | Weight | Scoring criteria |
|---|---|---|
| Data Protection | 25% | Encryption, classification, DLP, retention policies |
| Access Control | 20% | MFA enforcement, RBAC, privileged access management |
| Incident Response | 15% | Documented IRP, testing frequency, notification SLAs |
| Compliance | 15% | Active certifications, recent audit results, remediation tracking |
| Business Continuity | 15% | RTO/RPO targets, backup testing, failover capabilities |
| Subcontractor Risk | 10% | Fourth-party inventory, flow-down requirements, monitoring |
Contextualizing for Your Organization
Not every vendor needs the same level of scrutiny. Tailor the depth of your questionnaire to the risk tier of the relationship. A cloud provider hosting customer PII deserves the full questionnaire, evidence requests, and possibly an on-site assessment. A marketing agency with no system access might only need a short-form self-attestation. The key is having a consistent framework that scales with risk without creating unnecessary friction for low-risk partnerships.
Evidence and Verification
Request supporting documentation for critical answers: SOC 2 Type II reports, penetration test summaries, incident response plans, and data flow diagrams. Cross-reference self-reported answers with publicly available information like breach disclosures, security ratings, and compliance databases. Consider using automated third-party risk rating services to supplement the questionnaire with continuous monitoring data.
Ongoing Monitoring
The initial assessment is just the starting point. Establish a reassessment cadence based on risk tier: annually for critical vendors, every 18 months for high-risk, and every two to three years for medium and low-risk relationships. Between assessments, monitor for trigger events like data breaches, leadership changes, financial instability, or regulatory actions that should prompt an ad-hoc review.
Frequently Asked Questions
How many questions should the questionnaire include?
A full-length questionnaire typically runs 100 to 150 questions across all domains. For medium-risk vendors, a short-form version of 30 to 50 questions works well. The goal is completeness without creating vendor fatigue.
Should we use an industry-standard questionnaire like SIG?
The SIG (Standardized Information Gathering) questionnaire is an excellent baseline. You can use SIG Lite for lower-risk vendors and extend the full SIG with custom questions specific to your industry or data handling requirements.
What if a vendor has no compliance certifications?
Lack of certifications does not automatically disqualify a vendor, but it does increase the burden of proof. Ask for detailed policy documents, evidence of control implementation, and consider whether the risk can be mitigated through contractual requirements.
How do we handle conflicting or vague vendor responses?
Schedule a call to walk through any unclear answers. Vague responses often indicate that the vendor either does not understand the question or does not have the capability. Both are useful signals for your risk assessment.
Can we share assessment results with other teams?
Yes. Store vendor assessments in a central GRC platform or shared repository. Procurement, legal, privacy, and security teams all benefit from a single source of truth about vendor risk. Restrict access to detailed scores and evidence to authorized personnel.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.