What You Should Be Asking in Your Assessment Questionnaire

May 25, 2021

For many InfoSec teams, security assessment questionnaires are sometimes just as helpful as they are a hindrance. While assessment questionnaires are meant to help, groups compare areas of risk and opportunity, sorting through and compiling assessment responses can sometimes be a full-time job, one that InfoSec team members are expected to complete as an afterthought.

 

Using a custom assessment questionnaire


While there are plenty of trusted industry security assessments on the market, many modern SaaS organizations find that a canned questionnaire cannot keep up with the unique security controls that may be in place. In addition, SaaS vendors are becoming so varied in scope that answers to these questions don’t always fit into a pre-defined box, which leads to even more manual data segmentation.

Today’s leading SaaS organizations turn to custom or semi-custom assessments that ask the questions they want—and need—to know to do business. Setting up a scalable, repeatable assessment questionnaire can also help automate the response gathering process, making it easier to understand immediately if a vendor is a viable prospect for your organization.


SOVS Cover

Read the 2021 State of Vendor Security report

In our 2021 report on vendor security, we highlight the current state of vendor risk management, identify trends we’re seeing in the industry, and provide recommendations on how to improve the process for buyers, sellers, and other key stakeholders.

Learn More

 

Here are some areas of focus you should keep in mind when building your assessment questionnaire questions:

1. Current data security risk controls: This should be at the core of your assessment questionnaire. How is the vendor currently managing data privacy and security risk? What controls are in place? Here is where you can uncover all of this foundational data to drive your response down the road.

2. Similar partnerships already in place: One question you should ask right out of the gate is around other similar vendor partnerships already in place. If you’re a healthcare organization looking to partner with a vendor with multiple healthcare partners, you can be more confident in their HIPAA and targeted privacy safeguards. However, if you are their first healthcare vendor partner, it could be a learning curve to ensure your data is protected.

3. Hardware or data requirements: Will your team have to change or update any data safeguards to enter into a partnership? A security assessment questionnaire should outline precisely what has to happen. Adding in new hardware or data rules could be a lot of work.

4. Internal risk education programs: A majority of data issues are, unfortunately, caused by manual error or a lapse in internal security processes. Your vendors must be incredibly diligent with how they educate and talk about data security internally. On your assessment questionnaire, don’t be shy about asking how many people within an organization are certified for something like HIPAA or GDPR.


Whether you’re looking for a canned security assessment questionnaire or building your own to be more flexible, asking the right questions can be instrumental in finding and signing new vendor partners.

vendor risk management vendor assessment cloud security vendor security review vendor security management

About the author

Whistic
Whistic

The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.

Close