Conducting Vendor Risk Assessments Using the Vendor Security Alliance (VSA) Questionnaire

July 23, 2018

InfoSec and IT leaders know all too well the struggles that come along with conducting vendor security assessments — both for the vendors that serve their organization as well as, in many cases, the organizations they serve. Not only can the assessment process be time-consuming, it can be difficult to pinpoint exactly which assessment to use for each vendor. Each out-of-the-box vendor risk assessment questionnaire available to InfoSec teams offers a unique look at the world of cybersecurity and compliance: some are industry specific, others are applicable to cloud-based vendors only, and still others are based on business case, such as effectively managing the critical elements of the vendor risk management lifecycle.

In a previous article, we explored 5 of the top questionnaires for IT vendor risk assessments. As a refresher, these include:

  1. Cloud Security Alliance — Consensus Assessments Initiative Questionnaire (CAIQ)
  2. Center for Internet Security — CIS Critical Security Controls (CIS First 5 / CIS Top 20)
  3. National Institute of Standards and Technology — NIST (800–171)
  4. Shared Assessments Group — Standardized Information Gathering Questionnaire (SIG / SIG-Lite)
  5. Vendor Security Alliance — VSA Questionnaire (VSAQ)

Over the next several weeks, we’ll provide a deep-dive look into several of these assessments so that your organization can confidently choose the right questionnaire for your third party risk management program — whether you decide to build your own or use a one of these pre-built assessments. In the last article, we took a closer look at at the Cloud Security Alliance’s Consensus Assessments Initiative Questionnaire (CAIQ), and in this article, we’ll examine the Vendor Security Alliance Questionnaire (VSAQ).

What is the VSA Questionnaire and Why Was It Created?

The Vendor Security Alliance (VSA) questionnaire was created by a coalition of companies committed to improving internet security who are also members of the alliance. The alliance was originally formed to streamline vendor security compliance, allowing its members to leverage the VSA’s network of third party auditors to carry out risk based assessments of their vendors, which enables its members to assess more vendors at a faster and cheaper rate than ever before. While the VSA questionnaire was created for the alliance’s members, non-members are also able to use the questionnaire, which we’ll explore below.

The in-depth questionnaire, called the “VSAQ”, was first published in 2016 and was designed specifically to help companies evaluate their supplier’s security practices. The questionnaire contains six different sections, including:

  1. Data protection and access controls
  2. Security policies and procedures
  3. Proactive security measures
  4. Reactive security measures
  5. Software supply chain management
  6. Customer-facing application security
  7. Compliance

Unlike some of the other assessments as highlighted in our list, the VSAQ was created with the vendor in mind. Why might that matter to your InfoSec and IT team? Because its focus is on eliminating irrelevant questions and unnecessary friction during the security review process, making for a much more streamlined questionnaire process that both the vendor and the issuing company will appreciate (and will be able to respond to in a faster manner).

InfoSec teams know that any vendor supplying a product or service can present risks, especially if they have access to certain systems or data that could be compromised. The VSA urges that companies use the VSAQ in situations such as these:

  • Data-Risk Based. Not all vendors should be held to the same standard. The risk is proportionate to the sensitivity of the data they are accessing (and the volume of data). The controls vendors should have in place must be proportionate to their risk.
  • Integrated Security. Great security is not achieved by purchasing a product. It is achieved by thinking about security from the start; how a product is designed, how a product is tested, how it is patched and maintained, what steps have been taken to minimize a breach and what happens during a security incident. All of these and more are covered in this questionnaire.
  • Service Oriented. Many companies have multiple offerings of services and products. Rather than audit the company, we focus on just the services that are being delivered. Only the security policies and controls in the scope of the service under review are relevant.

What Type of Organizations Should Use the VSA Questionnaire?

While the VSAQ was originally created as an asset to the alliance’s members, any InfoSec team can use the questionnaire as a means to assess vendors supplying services to their organization.

Not a member of the VSA? No problem! The VSA simply suggests that you send this questionnaire to your vendors to assess their cybersecurity risk. They will return it directly to you so you can then use the questionnaire results to benchmark the cybersecurity risk of services you provide, and find areas to improve.

Your organization is a member of the VSA? Great! You have the same option as non-VSA members, or you have the option to leverage third party auditors carry out audits.

Would you like to use the VSA questionnaire in a software platform to streamline your vendor assessments? Whistic is the exclusive platform trusted by the VSA and the only software platform where you can get access to the VSAQ.

How InfoSec Teams Can Use Whistic to Complete and Send VSA Questionnaires

Whistic offers the VSAQ as an intelligent, online questionnaire (which contains just over 100 questions), with the ability to add comments and documentation to substantiate responses.

Additionally, your InfoSec team can efficiently and securely respond to any VSAQ assessments that come your way by using your Whistic Security Profile. Whistic’s vendor assessment platform allows teams to intelligently allocate limited resources by assigning questions to specific subject matter experts across the organization and provide due dates and reminders along the way. The ready-to-use VSAQ online questionnaire — inherently available in Whistic’s platform — provides the ability to add comments and documentation to substantiate responses.

Whether sending the assessment to cloud vendors or responding to the VSAQ as a cloud vendor yourself, Whistic’s process allows your InfoSec team to be confident that no security issue will slip through the cracks.

Ready to Learn More?

Check out our resources below for more third party vendor best practices and insights on how your organization can effectively approach security assessments.


Why Third Party Security is Critically Important

Request a Live Demo with a Whistic Product Specialist

information security cybersecurity whistic vendor security alliance vendor risk assessment

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.