Back to Resources
Vendor Risk
Vendor Security Questionnaire Template
A pragmatic, 16-question security assessment template to evaluate the security, compliance, and data protection postures of third-party vendors.
Implementation Guide
Third-party vendors and SaaS providers are common vectors for supply-chain data breaches. Before handing over customer data, proprietary code, or financial systems access, you must assess their security controls.
Who is this for?
This questionnaire is built for procurement managers, IT teams, and security compliance staff who need to establish a lightweight vendor due diligence process without using complex software tools.
How to use this template:
- Customize the intro text with your organization’s name.
- Send the questionnaire to the vendor’s security contact prior to contract execution.
- Review answers based on key indicators: verify their SOC 2 reports, make sure they enforce multi-factor authentication (MFA) for their host systems, and confirm their breach notification window.
Template Preview
# VENDOR SECURITY QUESTIONNAIRE
**Vendor Name:** [Vendor Company Name]
**Service/Product Evaluated:** [Service Name]
**Assessment Date:** [Date]
**Assessed By:** [Name/Title]
---
## INSTRUCTIONS FOR VENDORS
Please answer the following security questions completely. For any "No" or "In Progress" answers, provide a brief description of alternative security controls or target remediation dates in the **Comments** column.
---
## 1. INFORMATION SECURITY PROGRAM & GOVERNANCE
| ID | Evaluation Question | Answer (Y / N / NA) | Comments / Remediation Plan |
| :--- | :--- | :--- | :--- |
| 1.1 | Do you maintain a documented Information Security Program approved by leadership? | | |
| 1.2 | Do you possess a valid third-party security certification (e.g., SOC 2 Type II, ISO 27001, CMMC)? If yes, attach the latest report. | | |
| 1.3 | Do you perform annual cybersecurity training for all staff members who access customer data? | | |
| 1.4 | Do you carry active Cyber Liability Insurance? If yes, list coverage limits. | | |
---
## 2. DATA PROTECTION & PRIVACY
| ID | Evaluation Question | Answer (Y / N / NA) | Comments / Remediation Plan |
| :--- | :--- | :--- | :--- |
| 2.1 | Is customer data encrypted in transit using industry-standard protocols (e.g., TLS 1.2 or higher)? | | |
| 2.2 | Is customer data encrypted at rest inside your databases and backup repositories? | | |
| 2.3 | Do you isolate customer data inside your hosting infrastructure to prevent cross-tenant access? | | |
| 2.4 | What is your data retention policy for customer records upon contract termination? (Specify timeline in Comments). | | |
---
## 3. ACCESS CONTROL & IDENTITY MANAGEMENT
| ID | Evaluation Question | Answer (Y / N / NA) | Comments / Remediation Plan |
| :--- | :--- | :--- | :--- |
| 3.1 | Is multi-factor authentication (MFA) mandatory for all employees accessing hosting environments? | | |
| 3.2 | Do you enforce the principle of least privilege, limiting access to database environments to authorized staff? | | |
| 3.3 | Do you immediately revoke access credentials for terminated employees? | | |
| 3.4 | Do you perform quarterly access reviews of accounts with administrative privileges? | | |
---
## 4. VULNERABILITY MANAGEMENT & RESPONSIVENESS
| ID | Evaluation Question | Answer (Y / N / NA) | Comments / Remediation Plan |
| :--- | :--- | :--- | :--- |
| 4.1 | Do you perform regular vulnerability scanning of your external networks and applications? | | |
| 4.2 | Do you conduct annual external penetration testing performed by an independent third-party firm? | | |
| 4.3 | Do you have a documented Incident Response Plan? | | |
| 4.4 | What is your guaranteed notification window to customers in the event of a suspected data breach? (Specify hours in Comments). | | |
---
## VENDOR SIGN-OFF
*I represent that the answers provided above are accurate and complete reflections of our organization's current security posture.*
**Authorized Signatory:** ___________________________
**Printed Name:** [Signatory Name]
**Title:** [Signatory Title]
**Date:** [Date Signed]
Need a custom security program?
We write framework-aligned corporate WISPs and custom playbooks tailored to your team.