5 of the Top Questionnaires for IT Vendor Assessments

January 05, 2018

The world of InfoSec is changing rapidly, and as such, new frameworks for performing vendor risk assessments are being introduced into the marketplace all the time — each with their own use cases and benefits. As we’ve previously explored, developing an assessment process tailored specifically to the risk level of your vendors is vital to ensuring your organization’s data remains secure and uncompromised by outside vendors in which your organization conducts business.

But as more and more information security questionnaires are introduced, it can be challenging for an organization to grasp which vendor assessment framework to use, at which time, and for which third party vendor. At Whistic, simplifying third party security risk assessments is our job. That’s why we’ve compiled a list of 5 of the top questionnaires used in IT vendor security assessments today. And the best news? Whistic’s platform supports each and every one of these standardized questionnaires, so you can choose the best assessment for your organization’s vendor risk management (VRM) program at any given time, and be confident that your selection will be supported.

In addition to sending, receiving, scoring and reviewing vendor responses to any of the following questionnaires in the Whistic Platform, companies can also complete a self-assessment with each of these questionnaires. These self-assessment questionnaires can be added to a Whistic Profile to streamline your ability to respond to security reviews from customers or prospects, or can be used for internal information security risk assessments. Whistic enables teams to easily collaborate on self-assessment questionnaires by adding teammates, assigning questions and setting due dates.

5 Top Questionnaires for IT Vendor Assessments (in alphabetical order):

1. Center for Internet Security — CIS Critical Security Controls (CIS First 5 / CIS Top 20)

  • About the Organization: The Center for Internet Security (CIS) is a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats. https://www.cisecurity.org/.
  • About the Questionnaire: According to CIS, its 20 ‘Controls’ are a prioritized set of actions that protect your critical systems and data from the most pervasive cyber attacks. They embody the critical first steps in securing the integrity, mission, and reputation of your organization and can be considered a short list of high-priority, highly effective defensive actions that provide a “must-do, do-first” starting point for every enterprise seeking to improve their cyber defense. The First 5 CIS Controls are often referred to as providing cybersecurity “hygiene,” and studies show that implementation of the First 5 CIS Controls provides an effective defense against the most common cyber attacks (~85% of attacks). The CIS Controls map to most major compliance frameworks such as the NIST Cybersecurity Framework, NIST 800–53, ISO 27000 series and regulations such as PCI DSS, HIPAA, NERC CIP, and FISMA.
  • About Whistic’s Offering: Whistic offers both the First 5 and CIS Top 20 as intelligent, online questionnaires that convert the controls into a series of “Yes/No” questions, with the ability to add comments and documentation to substantiate responses. The CIS First 5 contains 35 questions, while the CIS Top 20 contains 150 questions.

2. Cloud Security Alliance — Consensus Assessments Initiative Questionnaire (CAIQ)

  • About the Organization: The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. https://cloudsecurityalliance.org/.
  • About the Questionnaire: The CAIQ provides industry-accepted ways to document what security controls exist in IaaS, PaaS and SaaS offerings. The questionnaire provides a set of questions a reviewer may wish to ask of a cloud provider. The CAIQ questionnaire is designed to support organizations when interacting with cloud provider during the cloud provider assessment process by giving organizations specific questions to ask about provider operations and processes.
  • About Whistic’s Offering: Whistic offers the CAIQ as an intelligent, online questionnaire, with the ability to add comments and documentation to substantiate responses. The CAIQ contains just under 300 questions.

3. National Institute of Standards and Technology — NIST (800–171)

  • About the Organization: The National Institute of Standards and Technology implements practical cybersecurity and privacy through outreach and effective application of standards and best practices necessary for the U.S. to adopt cybersecurity capabilities. https://www.nist.gov/topics/cybersecurity.
  • About the Questionnaire: The purpose of NIST’s 800–171 framework is to help protect controlled unclassified information (CUI) in nonfederal systems and organizations. CUI is considered any potentially sensitive, unclassified data that requires controls in place which define its proper safeguarding or dissemination. The publication contains 14 specific security objectives, each with a variety of unique controls, as well as mapping to NIST 800–53 and ISO 27001. Any organization that supplies the federal government with product, solutions or services under a Department of Defense (DoD), General Services Administration (GSA), or National Aeronautics and Space Administration (NASA) contract must comply with NIST 800–171 as of December 31, 2017. While this framework is mainly focused on companies that work under a government contract, it represents a concerted effort to improve cybersecurity at a national level and is a detailed framework with 14 areas that are important for any company looking to improve its cybersecurity posture.
  • About Whistic’s Offering: Whistic offers the NIST 800–171 as an intelligent, online questionnaire, with the ability to add comments and documentation to substantiate responses. The NIST 800–171 contains just over 100 questions.

4. Shared Assessments Group — Standardized Information Gathering Questionnaire (SIG / SIG-Lite)

  • About the Organization: The Shared Assessments Program is the trusted source for third party risk management with resources, including tools and best practices, to effectively manage the critical elements of the vendor risk management lifecycle. https://sharedassessments.org.
  • About the Questionnaire: The Shared Assessments Group’s SIG (Standardized Information Gathering) questionnaire is a holistic tool for risk management assessments of cybersecurity, IT, privacy, data security and business resiliency in an information technology environment. The questions within the SIG are based on referenced industry regulations guidelines, and standards (including NIST, FFIEC, ISO, HIPAA and PCI). Similarly, the SIG-Lite is a compilation of all the higher level questions from the detail tabs of the SIG and is generally used for third party service providers who offer lower risk services.
  • About Whistic’s Offering: Whistic offers the SIG and SIG-LITE as intelligent, online questionnaires, with the ability to add comments and documentation to substantiate responses. While the SIG contains over 1,200 questions, the SIG-Lite contains just under 200 questions.

5. Vendor Security Alliance — VSA Questionnaire (VSAQ)

  • About the Organization: The Vendor Security Alliance (VSA) is a coalition of companies committed to improving Internet security. The VSA was formed to streamline vendor security compliance. Members may leverage the VSA’s network of third party auditors to carry out risk based assessments of their vendors; enabling members to assess more vendors, faster and cheaper than ever before. https://www.vendorsecurityalliance.org/.
  • About the Questionnaire: First published in 2016, the VSAQ was designed specifically to help companies vet their supplier’s security practices. It is comprised of six sections of questions addressing: data protection, security policy, preventative and reactive security measures, supply chain management, and compliance. The questionnaire was designed with the vendor in mind, with a focus on eliminating irrelevant questions and unnecessary friction during the security review process.
  • About Whistic’s Offering: Whistic offers the VSAQ as an intelligent, online questionnaire, with the ability to add comments and documentation to substantiate responses. The VSAQ contains just over 100 questions.

Emerging Standard:

Higher Education Cloud Vendor Assessment Tool — (HECVAT / HECVAT Lite)

  • About the Organization: The HECVAT was created by the Higher Education Information Security Council (HEISC) Shared Assessments Working Group members, and represents a collaboration between EDUCAUSE, Internet2, and the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC). https://library.educause.edu/resources/2016/10/higher-education-cloud-vendor-assessment-tool
  • About the Questionnaire: First published in 2016, the HECVAT attempts to generalize higher education information security and data protection questions and issues regarding cloud services for consistency and ease of use. Its purpose is to provide a starting point for the assessment of third-party provided cloud services and resources. It helps higher education institutions ensure that cloud services are appropriately assessed for security and privacy needs, including some that are unique to higher education. It also allows a consistent, easily-adopted methodology for campuses wishing to reduce costs through cloud services without increasing risks, and reduces the burden that cloud service providers face in responding to requests for security assessments from higher education institutions. The HECVAT questionnaire is also available in a “Lite” format for use in lower-risk situations.
  • About Whistic’s Offering: Whistic will be adding the HECVAT and HECVAT-Lite to its platform in early 2018 as intelligent, online questionnaires, with the ability to add comments and documentation to substantiate responses. The HECVAT contains just under 300 questions and the HECVAT-Lite contains just under 75 questions.

Which Questionnaire is Right for Your Third Party Risk Management (TPRM) Program?

Determining the right assessment tool for your organization’s vendor risk management (VRM) program isn’t something to take lightly. However, the security questionnaires available for your use are continually improving in quality and are becoming more readily available, regardless of your organization’s size or industry focus. The majority of the questionnaires referenced above are regularly updated and improved (typically on an annual basis) by groups of experts in the fields of cybersecurity, information security, compliance and risk, and are widely adopted by the world’s leading companies.

Once you have determined the right questionnaire or framework to assess third party vendor security risks, let our team at Whistic show you just how easy it is to use your questionnaire of choice with our vendor security management platform to simplify the process and save your team significant time and resources.

Ready to Learn More?

Check out our resources below for more third party vendor best practices and insights on how your organization can effectively approach security assessments.


Why Third Party Security is Critically Important

Product Demo:

Request a Live Demo with a Whistic Product Specialist

Risk Management cybersecurity risk assessment it risk management

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.