top of page

Vendor Risk Assessment Questionnaire

Company Information:

  1. Please provide the company name and primary contact information.

  2. Does your company have a dedicated security team or security officer?

Security Policies and Procedures:

  1. Do you have written security policies and procedures? If yes, how often are they reviewed and updated?

  2. Are your employees required to undergo security awareness training? If yes, how often?

  3. Are your security policies and procedures aligned with any recognized cybersecurity frameworks (e.g., ISO 27001, NIST)?

Access Controls:

  1. Describe how access to systems and data is managed within your company.

  2. Are strong password policies enforced in your company?

  3. How is access to systems and data removed when an employee leaves the company or changes roles?

Data Security:

  1. How is sensitive data protected during transmission and at rest?

  2. Please describe your data encryption practices.

  3. Do you conduct regular vulnerability scans and/or penetration tests?

Incident Response:

  1. Do you have an incident response plan in place?

  2. Have you experienced any security incidents in the past two years? If so, how were they managed and what steps were taken to prevent recurrence?

Third-Party Management:

  1. Does your company use subcontractors or outsourced services? If so, how do you manage their access to data and systems?

  2. Have you conducted a risk assessment of your own third-party vendors?

Business Continuity and Disaster Recovery:

  1. Do you have a business continuity plan and disaster recovery plan in place?

  2. How often do you test your disaster recovery plan?


  1. Is your company subject to any cybersecurity regulations? If so, please describe how compliance is ensured.

  2. Has your company undergone any third-party security audits? If yes, can you share the results?

Risk Management:

  1. Does your company have a formal risk management process in place?

  2. How often do you evaluate and update your risk assessments?

Data Protection and Privacy:

  1. Do you have a designated Data Protection Officer (DPO) or a similar role in your organization?

  2. Please explain your process for managing and securing customer data.

  3. Do you have a process in place for handling data breaches involving personal data?

  4. How do you ensure the privacy of the data you handle?

Physical Security:

  1. How do you ensure the physical security of your premises and data centers?

  2. Are there security measures in place to prevent unauthorized physical access to your systems?

Secure Development:

  1. If you develop software, please describe your secure development practices.

  2. Do you use Static and Dynamic Analysis Tools to detect vulnerabilities in your software?

  3. Is your code reviewed for security vulnerabilities?

Network Security:

  1. How is your network secured against external and internal threats?

  2. What types of security technologies (firewalls, IDS/IPS, etc.) do you use to protect your network?

  3. Are all network devices updated and patched regularly?

Monitoring and Auditing:

  1. Do you continuously monitor your systems and networks for suspicious activity?

  2. Are logs maintained for all system, network, and user activities?

  3. How long are logs retained and how are they protected?

Cybersecurity Insurance:

  1. Does your organization have cybersecurity insurance coverage?

  2. Can you provide details about the terms and coverage of your cybersecurity insurance policy?

Please provide any additional comments or information that may assist in our assessment of your cybersecurity posture. Thank you for your cooperation.



bottom of page