RFPs: Introducing Information Security & Cybersecurity Standards in RFPs

January 16, 2019

Thanks to the steady increase in potential security threats and malicious technology, vendor security has become a critical part of today’s RFP response process. As the risk has grown, so too has the complexity of InfoSec and Third Party Vendor-specific questions present on most modern RFPs. Information Security teams can no longer hope to skate through the RFP process as these complex questions demand specific, in-depth responses that prove without a doubt the necessary level of compliance.

Understanding cybersecurity standards in RFPs

Because cybersecurity and compliance play such a large picture in today’s economy, organizations of all sizes are relying more and more on RFPs to identify genuine, compliant vendors and partners to work with. Whether you’re sending out or responding to RFPs, it’s incredibly important to be transparent and honest in both your questions and your responses. While smaller organizations can sometimes set up a custom work-around if there is a sticking point on a security question, larger entities typically require 100% compliance with a potential client’s RFP. Basically, if a team is answering ‘No’ to a question on an RFP, there are deficiencies in their cybersecurity posture. For this reason, your team should be prepared to answer any kind of security-related questions during the RFP process, regardless of the form the question takes.

At the very least, your team should have ready documentation and language around the top ten OWASP vulnerabilities, which are the most critical threats to web application security. Having prepared responses to the OWASP vulnerabilities also demonstrates preparedness and efficiency during the RFP response process.

On top of OWASP preparedness, the best way to proactively stay on top of potential RFP requirements and prove compliance is to follow current cybersecurity standards and questionnaires. There are a few popular security questionnaires on the market today that your team should make sure you’re familiar with, including:

  • The CAIQ: As the world leader in cloud computing security and awareness, the Cloud Security Alliance developed the CAIQ to standardize documentation for IaaS, PaaS, and SaaS offerings. This questionnaire also provides specific questions and further discussion points to bring up with potential vendors.
  • CIS First 5 and CIS Top 20: The Center for Internet Security is a non-profit organization that created a list of 20 ‘Controls’ designed to protect critical systems and data from malicious cyber attacks. The First 5 Controls provide an effective defense against common threats, while the more extensive list addresses more sophisticated attacks.
  • SIG/SIG-Lite: The Shared Assessments Group’s SIG is a holistic questionnaire based on other industry-standard regulations and guidelines that compiles a general list of questions applicable to most third-party service providers. While SIG has more than 1,200 questions, the SIG-Lite questionnaire only contains around 200 questions and is for providers with lower risk services.

If your organization is a potential cloud vendor or enterprise-level organization, answering countless security questionnaires can become tedious and overwhelming. To make RFP responses easy, look to achieving security certifications or credentials such as ISO 27001, NIST 800–171, or PCi DSS that are easy to audit and understand from both an internal and external perspective.

Don’t let RFPs weigh you down

Today, most organizations (especially larger, enterprise-level corporations) leverage RFP templates to streamline the RFP response process. Adding your company’s vendor security profile to your larger RFP template can help streamline the RFP completion process without sacrificing compliance. RFP templates are meant to be easily customized and tailored to any specific questions or angles, and adding a vendor security component to a template will only help to streamline the process in the long run.

The Whistic platform makes it easy to respond to cybersecurity RFP questions and monitor incoming responses because it seamlessly integrates with popular RFP questionnaires and allows InfoSec teams to automatically update answers in real-time as changes are made. Now, if your team is responding to an RFP, InfoSec doesn’t need to manually fill out every single detail over and over. If you are sorting through inbound RFP responses, you can immediately identify potential vendors and partners that match up to and exceed your security standards.

Just because the modern RFP process is more complex doesn’t mean that it has to be tedious or overwhelming. You can learn more about simplifying the vendor security assessment process here.


Why Third Party Security is Critically Important

information security cybersecurity supply chain ciso rfp

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.