Do you have a security questionnaire for all third parties you partner with? How long is it?

1.6k views1 Upvote4 Comments

Director in Manufacturing, 1,001 - 5,000 employees
Our CISO has about a two page security document that our vendors need to complete as part of our RFP process. Procurement actually deliverers it as part of the requirements to bid.
CISO in Government, 10,001+ employees
We do have a set of questions we call the External Dependency Matrix, derived from CIS Critical Security Controls. I recommend starting with that. Depending on the solution, sensitivity of data, and what level of compliances you are required to follow, you can demand different levels of control (1, 2, or 3). 
Director of Data in Healthcare and Biotech, 10,001+ employees
Yes, we have a pretty comprehensive security questionnaire that covers just about every topic that vendors must fill out before purchasing can be considered. It basically covers everything and is pretty time intensive. We do not have levels of control built into the document, but I think that is a great idea for the future. 
Information Security Director in Media, 10,001+ employees
We have a security questionnaire for 3rd party vendors, but depending how they interact with our infrastructure, access to certain types of data (PII, Confidential etc.) or if their processes/systems have been audit from a ISO or SOC2 perspective the quantity of questions differ as questions would be added/excluded accordingly.

Content you might like


We are currently developing a process for this.36%

Not yet, but we are discussing it.14%




Strongly agree7%




Strongly disagree0%

Other (explain in the comments)0%


2.4k views1 Comment