Overview
Before you hand a vendor your data or let them connect to your network, you need to know what their security looks like from the inside. This questionnaire gives you a structured way to evaluate vendors across the areas that matter most: how they handle your data, who has access, how they respond to incidents, and whether they can prove compliance when asked. It is designed to be practical for both the team sending it and the vendor filling it out.
Assessment Domains
- Organizational security governance and leadership
- Data protection, encryption, and classification practices
- Identity and access management controls
- Network security architecture and segmentation
- Incident response capabilities and breach history
- Business continuity and disaster recovery readiness
- Compliance certifications and audit reports
- Subprocessor and fourth-party risk management
Risk Tiering Framework
| Tier | Criteria | Assessment depth |
|---|---|---|
| Critical | Processes or stores sensitive data, has network access, or supports revenue-critical functions | Full questionnaire, SOC 2 report review, onsite or virtual assessment |
| High | Accesses internal systems or handles moderate-sensitivity data | Full questionnaire plus evidence requests |
| Medium | Limited data access, no direct system connectivity | Abbreviated questionnaire with self-attestation |
| Low | No data access, no system connectivity, commodity services | Automated risk scoring with periodic reassessment |
How to Evaluate Responses
Look beyond yes-or-no answers. Ask for evidence: screenshots of configurations, copies of policies, recent penetration test summaries, and SOC 2 or ISO 27001 reports. Pay close attention to how the vendor handles access reviews, vulnerability patching timelines, and incident notification commitments. A vendor that says they encrypt data at rest but cannot specify the algorithm or key management approach is a red flag. Score each domain on a 1-to-5 maturity scale and set minimum thresholds per risk tier.
Common Vendor Red Flags
- No SOC 2, ISO 27001, or equivalent third-party audit in the past 18 months
- Inability to provide a documented incident response plan
- Shared credentials or no MFA for administrative access
- No encryption at rest or in transit for customer data
- Refusal to disclose subprocessors or fourth-party dependencies
- No defined SLA for breach notification timelines
Integration with Your TPRM Program
This questionnaire works best when it is part of a broader third-party risk management lifecycle. Use it during vendor onboarding, then schedule periodic reassessments based on the risk tier. Critical vendors should be reassessed annually at minimum, with continuous monitoring through tools that track breach disclosures, certificate expirations, and dark-web mentions. Store all vendor assessments in a central repository so your procurement, legal, and security teams all work from the same data.
Frequently Asked Questions
How long should a vendor have to complete the questionnaire?
Give vendors two to three weeks for a full questionnaire. For critical-tier vendors, schedule a follow-up call to walk through responses and clarify any gaps.
Should we accept a SOC 2 report instead of the questionnaire?
A SOC 2 Type II report covers many of the same areas, but it does not address how the vendor handles your specific data. Use the report to pre-fill sections and focus your questionnaire on gaps the report does not cover.
How do we handle vendors that refuse to answer?
Document the refusal and escalate to procurement and legal. Consider whether the vendor relationship is worth the unquantified risk. In some cases, contractual language can require security transparency as a condition of doing business.
What is the difference between this and a SIG questionnaire?
The Standardized Information Gathering (SIG) questionnaire is a widely used industry standard with over 800 questions. This template is more concise and practical for organizations that need a faster assessment without sacrificing coverage of the critical domains.
How often should vendor assessments be repeated?
Critical vendors should be reassessed annually. High-tier vendors every 18 months. Medium and low-tier vendors every two to three years, unless a material change or breach triggers an earlier review.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.