Vendor Security Assessment Questionnaire

Vendor Security Assessment Questionnaire

Generates a pre-contract due-diligence questionnaire for evaluating vendor security controls, data practices, and compliance across GDPR, CCPA, HIPAA, SOX, GLBA, FERPA, and industry frameworks.

Quick Start

Gather before drafting:

1. Vendor scope — data types accessed (PII, PHI, PCI, financial, proprietary), processing activities, data flows
2. Applicable regulations — GDPR, CCPA, HIPAA, SOX, GLBA, FERPA, or sector-specific
3. Risk tolerance — what constitutes acceptable vs. disqualifying vendor risk
4. Contract alignment — security provisions to incorporate by reference

Document Framework

Assessment Domains

Draft numbered questions per domain. Each question includes a response field and evidence-request field where applicable. Tailor scope to data sensitivity — not every vendor needs every domain.

1. Information Security Governance

• Dedicated CISO/equivalent; certifications (CISSP, CISM, CISA)
• Framework alignment (NIST CSF, ISO 27001, CIS Controls, COBIT)
• Policy review cadence; security awareness training (all-staff + specialized)
• Board-level security reporting frequency

2. Data Classification & Lifecycle

• Classification taxonomy compatibility with client's scheme
• All data storage/processing locations (primary, DR, backup, cloud regions)
• Cross-border transfer mechanisms (SCCs, adequacy decisions, BCRs)
• Retention post-termination; destruction methods; certificates of destruction
• Backup frequency; encrypted backup media; tested RTO/RPO

3. Access Control & Privileged Access

• MFA enforcement across all access; supported factors
• RBAC, least-privilege, segregation of duties
• Privileged access: JIT elevation, session recording, auto-deprovisioning
• Access recertification frequency; anomalous-access alerting

4. Vulnerability Management & Testing

• Scanning tools, frequency, and patching SLAs:

• Annual third-party pentests (external + internal lateral movement)
• AppSec testing (SAST, DAST, SCA) for custom software
• Bug bounty / responsible disclosure program
• Request most recent pentest summary and remediation status

5. Incident Response & Business Continuity

• Documented IR plan with roles, escalation, communication protocols
• IR testing frequency (tabletop, simulations) and recent results
• Notification timeline — must allow client to meet most restrictive regulatory deadline (GDPR 72 hrs, HIPAA 60 days, state breach laws)
• Cooperation with client IR team and legal counsel
• Cyber insurance: policy limits, third-party liability, adequacy for data volume
• BCP/DR: tested RTO/RPO, geographic diversity, multi-scenario resilience

6. Encryption & Key Management

• At rest: minimum AES-256; scope includes production, dev/test, backups, portable media
• Database encryption approach (TDE, column-level, application-layer)
• In transit: TLS versions, deprecated protocol status, enforced cipher suites
• In use: confidential computing / secure enclave capabilities (if applicable)
• Key management: HSM/KMS storage, rotation frequency, secure destruction

7. Network Security & Segmentation

• Customer isolation; production vs. corporate separation
• Zero-trust architecture status
• Perimeter controls: firewalls, IDS/IPS, WAF, DDoS protection
• Remote access: VPN, NAC/device posture, MFA
• Assessment cadence (external scans, internal pentests, wireless)

8. Subprocessor Risk Management

• Complete subprocessor inventory: role, data access, location, assessments conducted
• Flow-down of security requirements (contractually at least as stringent as client's)
• Client notification and approval rights before new subprocessor engagement
• Right to terminate non-compliant subprocessors

9. Certifications & Compliance

• SOC 2 Type II: report date, principles, opinion status, scope alignment
• ISO 27001: certificate dates, scope, certification body
• PCI DSS, FedRAMP/StateRAMP, HITRUST, TISAX (as applicable)
• Regulatory compliance confirmation for applicable data types
• Commitment to provide updated reports/certifications annually

10. Physical Security & Environmental Controls

• Data center access: MFA, visitor logs, surveillance, security personnel
• Background checks for personnel with physical access
• Environmental: fire suppression, UPS, generators, climate, water detection
• Facility certifications (SSAE 18 SOC 1, Uptime Institute tier)

11. HR Security & Insider Threat

• Background checks; periodic re-investigation for sensitive roles
• Security training before access; policy acknowledgment
• Offboarding: access revocation timeline, exit procedures
• Insider threat monitoring; DLP for exfiltration prevention

Risk Assessment Framework

Score vendor responses after receipt:

Assessment report must include:

• Per-domain and overall risk rating with justification
• Recommended contractual controls (audit rights, insurance minimums, SLAs)
• Evidence gaps requiring follow-up
• Go/no-go recommendation with conditions
• Flagged inconsistencies between responses and publicly available information

Checks

• State explicitly in preamble: responses are contractually binding representations; incomplete/misleading answers constitute grounds for disqualification or material breach
• Align notification timelines with the most restrictive applicable breach notification law
• Mark questions as required vs. conditional based on data type (PCI questions only if payment data involved)
• Flag vendors refusing to disclose subprocessors or share certifications as elevated risk
• All legal citations to specific regulatory provisions must be verified against current law [VERIFY]