Vendor Security Assessment Template
Comprehensive questionnaire for evaluating third-party vendor security. Third-party involvement in breaches has doubled from 15% to 30%.
How to Use This Assessment
- 1.Send this questionnaire to your vendor or use it during vendor evaluation calls
- 2.Mark responses as Yes (fully compliant), Partial (partially implemented), or No
- 3.Pay special attention to High-risk items; these should be deal-breakers if "No"
- 4.Request evidence/documentation for affirmative responses
Security Certifications
Does the vendor have SOC 2 Type II certification?
Request a copy of their most recent SOC 2 report. Verify the audit period covers current operations.
Does the vendor have ISO 27001 certification?
ISO 27001 demonstrates formal information security management. Request certificate and scope.
Are industry-specific certifications present (HIPAA, PCI-DSS, GDPR)?
Required if vendor handles healthcare, payment card, or EU resident data.
Access Controls
Does the vendor enforce multi-factor authentication for all access?
MFA should be mandatory for all users, especially those accessing your data.
Does the vendor use role-based access control (RBAC)?
Verify least privilege principles are enforced.
Can the vendor provide access logs upon request?
Important for incident investigation and compliance audits.
Does the vendor have privileged access management (PAM)?
Admin access should be controlled, monitored, and time-limited.
Data Protection
Is data encrypted at rest using AES-256 or equivalent?
Verify encryption standards and key management practices.
Is data encrypted in transit using TLS 1.2 or higher?
TLS 1.0 and 1.1 are deprecated and should not be accepted.
Does the vendor have a data classification policy?
Ensures sensitive data receives appropriate protection.
Can the vendor demonstrate data residency compliance?
Important for regulatory compliance (GDPR, data sovereignty).
Incident Response
Does the vendor have a documented incident response plan?
Request a copy or summary of their IR procedures.
What is the vendor's breach notification timeline?
Should align with your regulatory requirements (e.g., 72 hours for GDPR).
Does the vendor conduct regular incident response testing?
Tabletop exercises should be conducted at least annually.
Business Continuity
Does the vendor have a business continuity plan?
Request RTO/RPO commitments and disaster recovery procedures.
Does the vendor test backup and recovery procedures regularly?
Annual testing minimum; request evidence of recent tests.
What is the vendor's historical uptime percentage?
Request SLA commitments and historical performance data.
Subcontractors & Fourth Parties
Does the vendor assess security of their subcontractors?
Supply chain attacks are increasing; fourth-party risk is real.
Can the vendor provide a list of critical subcontractors?
Know who has access to your data beyond the primary vendor.
Does the contract allow subcontractor audits?
Ensure you have visibility into the full supply chain.
Vulnerability Management
Does the vendor conduct regular vulnerability scans?
Should be at least monthly for internet-facing systems.
Does the vendor have a penetration testing program?
Annual third-party pen tests are industry standard.
What is the vendor's patch management timeline?
Critical patches should be applied within 24-48 hours.
Contract Security Requirements
Beyond the assessment, ensure your vendor contracts include these security provisions:
Must-Have Clauses
- Breach notification within 24-72 hours
- Right to audit security controls annually
- Data return/deletion upon contract termination
- Subcontractor security requirements
- Cyber insurance requirements
Liability Considerations
- Uncapped liability for data breaches
- Indemnification for third-party claims
- Service level agreements with penalties
- Business continuity commitments
Need Help Managing Vendor Risk?
Our team can help you build a vendor risk management program that protects your organization from third-party breaches.