Do you have a security questionnaire for all third parties you partner with? How long is it?

PartnershipsThird Party Risk Management (TPRM)
1.8k viewscircle icon1 Upvotecircle icon4 Comments
Sort by:
VP Cybersecurity & Compliance in Services (non-Government)2 years ago

We have a security questionnaire for 3rd party vendors, but depending how they interact with our infrastructure, access to certain types of data (PII, Confidential etc.) or if their processes/systems have been audit from a ISO or SOC2 perspective the quantity of questions differ as questions would be added/excluded accordingly.

Executive Director of Technology in Healthcare and Biotech2 years ago

Yes, we have a pretty comprehensive security questionnaire that covers just about every topic that vendors must fill out before purchasing can be considered. It basically covers everything and is pretty time intensive. We do not have levels of control built into the document, but I think that is a great idea for the future. 

CISO in Government2 years ago

We do have a set of questions we call the External Dependency Matrix, derived from CIS Critical Security Controls. I recommend starting with that. Depending on the solution, sensitivity of data, and what level of compliances you are required to follow, you can demand different levels of control (1, 2, or 3). 

Director in Manufacturing3 years ago

Our CISO has about a two page security document that our vendors need to complete as part of our RFP process. Procurement actually deliverers it as part of the requirements to bid.

Lightbulb on1

Content you might like

Apart from applying the patches just released, what other mitigation tactics are you using to address the zero-day SharePoint vulnerabilities impacting on-premises servers?

We’re currently evaluating alternative Microsoft Licensing Solution Providers (LSPs) due to ongoing dissatisfaction with our current partner under our Enterprise Agreement (EA). As we look to make a change, we’re hoping to learn from others in the community who have navigated similar transitions. We’re particularly interested in your experiences with: • LSPs that provide more than just transactional value — Have you worked with an LSP that offered strategic guidance, proactive support, or added value beyond licensing fulfillment? • Partner delays due to LSP involvement — Have you encountered inefficiencies or delays when your consulting partner had to coordinate through an LSP? How did you address this? • Hybrid approaches — Has anyone adopted a model where the LSP handles licensing while a separate consulting partner provides strategic or technical support? How has that worked in practice? Any recommendations, red flags, or lessons learned would be greatly appreciated. We’re aiming to ensure we’re getting the best support and strategic alignment possible moving forward. 

Have you patched Log4j yet?

Yes42%

Yes, but third & Nth parties are still a concern43%

Mostly10%

No3%

Don't know

View Results

How often does procurement include cyber risk assessment requirements in their engagement requests?

Always17%

Often40%

Sometimes27%

Rarely13%

Never1%

Not sure

View Results

How are you tracking a high volume of contractors and SOWs across multiple verticals at your company? I'm looking to understand what tools, platforms, or methods others are using to manage and maintain visibility over large-scale contract labor and services engagements.