BYOQ — All of the Security Questionnaires Whistic Supports

December 13, 2019

For many InfoSec teams, the end of a year means planning for new updates, thinking about new strategic initiatives, and doing an overarching audit of current processes and procedures. Heading into 2020, we thought it would be a good refresher to run through the security questionnaires Whistic supports on its best-in-class security platform and offer some insight on when each would be useful. Enjoy!

Some of the questionnaires Whistic supports


Released by the Vendor Security Alliance, the VSA FULL and VSA CORE questionnaires are highly targeted questionnaires that focus on vendor security partnerships, risk, and accessibility in cybersecurity.

VSA FULL is highly in-depth and includes six different sections designed to bring vendor risk to the forefront of any security conversation.

VSA CORE is a shorter, more targeted form of the VSA FULL questionnaire that brings vendor-specific risks in GDPR and CCPA to light without having to complete a full assessment.


One of the more popular risk assessment frameworks on the market, the SIG (Standard Information Gathering) questionnaire family is released by Shared Assessments and addresses multiple areas of risk across many use cases, making it an easily adaptable and relatively flexible framework for many InfoSec teams. Additionally, the original SIG framework has been re-released multiple times as a CORE and LITE questionnaire to make it more appealing to smaller, on-the-go security teams.

The original SIG questionnaire evaluates 18 risk controls and is a good bet for teams looking to complete more complex RFPs, conduct self-assessments or audits, or determine a broader scope of risk security.

The SIG LITE questionnaire distills the larger, more complex concepts of the SIG assessment into a few easily manageable questions, making it the ideal assessment to see whether or not further review is needed.

SIG CORE is a unique approach to the original SIG assessment in that it offers InfoSec teams a library of questions to choose from to basically create their own unique questionnaire with vendors.


The HECVAT (Higher Education Cloud Vendor Assessment Tool) is one of the only university and higher education-specific questionnaires on the market. This assessment is specifically designed for higher education security teams to assess vendors, retain security compliance, and operate on a higher level.

As higher education security becomes a larger issue in the national conversation (surrounding things like student data privacy, payment records, and more), having access to the HECVAT is key for any university security team.

NIST SP 800–171 Framework

A government-focused security framework, the SP 800–171 framework focuses on how government agencies (including the department of defense) handles the sharing and access of Controlled Unclassified Information (CUI). This information is protected and highly sensitive, but isn’t directly regulated by any government agency, making it unclassified.

SP 800–171 frameworks are designed to determine whether or not vendors can securely handle and manage CUI. There are two main iterations of SP 800–171: Rev. 2 and B. Understanding how and when to use the SP 800–171 framework is paramount to doing business with any protected or government agency.

ISO 27001

Prepared and released by the International Organization for Standardization (ISO), the ISO 27001 framework is designed to be used as a running risk assessment and audit for both InfoSec and vendor teams alike. By identifying gaps in security processes, the ISO framework helps teams proactively address and prevent compliance gaps or security threats from occurring.

As a global standardization framework, ISO 27001 can work with any team, anywhere, regardless of size or scale. It is designed to assess all security teams on a universal level, making it a best practice for InfoSec teams around the world.

information security cybersecurity vendor risk management whistic security questionnaires

About the author


The latest insights and updates on information security and third party risk management.