Updated March 30, 2022—One of the biggest headaches InfoSec and third-party risk management teams deal with when responding to security questionnaires is the sheer amount of time it takes to fill them out. This is because there isn’t a consensus on which questionnaire should be used, and as a result, most questionnaires, 71% according to RiskRecon, are custom, many of which have hundreds of questions.
Eventually, there will be a standard set of questions for every industry, but we recommend using standard questionnaires whenever possible until that time comes. While every business is different and may require some additional questions and follow up, most security concerns can be answered by one of the many standard questionnaires available to you.
Relying on standard questionnaires means responses will likely be faster, resulting in shorter buying and selling cycles and the ability for teams to utilize critical applications needed to run your business sooner rather than later. Because there are so many questionnaires available, it can be difficult to know which one will be best for your business. To help you out, we’ve outlined a few things to consider when making your decision, along with a brief primer on some of the more popular questionnaires.
Things to consider when evaluating questionnaires
- How experienced are you with vendor security assessments? Whether you have a robust program to assess third party risk or you’re just getting started, there’s a questionnaire for you.
- Where are your business and customers located? There are laws in some countries or states that require you to meet certain security standards to handle private customer data.
- What industry are you in? While not every industry has a questionnaire dedicated to them, some like higher education or government, for example, do.
- Are you working toward a particular certification or compliance standard? Some questionnaires are helpful and necessary when you’re working toward earning security certifications or trying to achieve compliance in certain areas.
Tips for responding to security questionnaires
It’s no secret that responding to questionnaires can be tedious and time-consuming, but the process should improve greatly if you follow these tips.
- Build a library of answers. While each questionnaire might be different, that doesn’t mean the answers from one won’t be relevant and applicable to another. Having a library of answers in place will help you respond to questionnaires more quickly and efficiently.
- Save and reuse standard questionnaires. One of the biggest benefits of adopting standardized questionnaires is that they can be used repeatedly with minimal editing, saving the third party risk management team time they can use to focus on mitigating risk as opposed to completing administrative tasks.
- Keep your security certifications up-to-date. A surefire way to quickly build trust with a prospect is by including current security certifications with your questionnaires to show how deep your commitment to security is.
- Utilize technology to streamline the process. With the large number of vendor assessments most businesses have to manage, spreadsheets just won’t cut it anymore. Utilizing a vendor risk management platform that enables you to quickly build, respond, and manage assessments throughout the process is a must-have for teams that strive to be more efficient.
Read The 2022 State of Vendor Security
In this report, the third in an ongoing series, we’ll highlight the current state of vendor security, identify industry trends, and provide recommendations for how companies can improve their processes for conducting and responding to assessments.
Picking the right standard questionnaire
Consensus Assessments Initiative Questionnaire (CAIQ)
The CAIQ is a security questionnaire created by the Cloud Security Alliance. It provides industry-accepted procedures to document security controls in IaaS, Paas, and SaaS solutions. The CAIQ was designed to help organizations determine whether a cloud provider’s services are sufficiently secure. The questionnaire does this through a series of yes or no questions to help determine compliance to the Cloud Controls Matrix.
The Cloud Security Alliance also provides a shorter, more targeted form of the CAIQ questionnaire (CAIQ Lite) that brings to light the security posture of cloud providers for a key set of controls.
The CAIQ/CAIQ-Lite is right for your organization if it:
- Uses cloud-based applications.
- Stores sensitive information in cloud-based applications.
- Sees value in aligning to a widely used, industry-recognized framework.
Center for Internet Security (CIS)
The CIS Critical Security Controls are a prioritized set of actions for cybersecurity that form a defense-in-depth set of specific and actionable best practices to mitigate the most common cyber attacks. CIS Controls help security teams prioritize and focus on a small number of actions that greatly reduce cybersecurity risk.
The CIS First 5 or top-20 is right for your organization if it:
- Doesn’t have a comprehensive methodology or set of security requirements for your vendors.
- Is looking to take the first step in assessing security within your vendor population.
- Needs to determine the most critical areas to establish a risk management program.
General Data Protection Regulation (GDPR)
The GDPR is a privacy law that applies to the processing, storage, and exposure of personally identifiable information of European citizens. Although it was passed by the EU, it applies to any organization that handles private information of those who reside in the EU. Penalties for violating the law are steep, with fines up to €20M or 4% of global revenue—whichever is higher.
The GDPR is right for your organization if it:
- Handles personal data of EU citizens at any point.
- Has operations within the EU borders.
- Has more than 250 employees or has frequent data processing that impacts the rights and freedoms of EU citizens.
- Intends to do business with a citizen of the EU.
Higher Education Cloud Vendor Assessment Tool (HECVAT)
HECVAT is a security framework created by the Higher Education Security Council and is designed specifically for higher education organizations to assess vendor risk. HECVAT helps determine whether a SaaS vendor has the cybersecurity policies and procedures in place to protect the personal information of students and employees. In addition to the HECVAT, there is also a shorter lite version and is designed to focus on the most common risk factors.
HECVAT or HECVAT Lite is right for your organization if it:
- Is a college or university.
- Needs to identify and manage risks to the university, campus, and student body from third and fourth parties.
- Is a third-party service provider that wants to contract with colleges and universities.
International Organization for Standardization (ISO)
The ISO 27001 is a security framework designed to run risk assessments and audits for InfoSec and vendor teams. It utilizes a systematic approach to vendor risk management and can be used to identify gaps in security processes while providing a framework to help teams proactively address or even prevent security threats or compliance gaps from occurring.
ISO 27001 is right for your organization if it is:
- Working toward a formal ISO certification.
- Looking to design and implement a coherent and comprehensive set of information security controls.
- Looking to adopt a management process to ensure that controls meet its information security requirements on an ongoing basis.
National Institute of Standards and Technology (NIST)
NIST is a government-focused security framework. The SP 800–171 framework focuses on how government agencies (including the Department of Defense) handle the sharing and access of Controlled Unclassified Information (CUI). This information is protected and highly sensitive but isn’t directly regulated by any government agency, making it unclassified.
NIST SP 800-171 is for your organization if it is:
- Already using NIST SP 800-53 within your organization or looking to align to it
- Working toward a FISMA or FedRAMP compliance
- A vendor looking to sell into the government or Department of Defense
Standardized Information Gathering (SIG)
The SIG (Standard Information Gathering) questionnaire family is released by Shared Assessments and addresses multiple areas of risk across many use cases, making it an easily adaptable and relatively flexible framework for many InfoSec teams. Additionally, the original SIG framework has been re-released multiple times as a CORE and LITE questionnaire to make it more appealing to smaller, on-the-go security teams. The original SIG questionnaire evaluates 18 risk controls and is a good bet for teams looking to complete more complex RFPs, conduct self-assessments or audits, or determine a broader scope of risk security.
The SIG LITE questionnaire distills the larger, more complex SIG assessment concepts into a few easily manageable questions, making it the ideal assessment to see whether or not a further review is needed.
SIG CORE is a unique approach to the original SIG assessment. It offers InfoSec teams a library of questions to choose from to create their own unique questionnaire with vendors.
The SIG family of questionnaires is right for your organization if it:
- Has to respond to complex RFPs.
- Conducts self-assessments or audits.
- Needs to determine a broader scope of risk security.
Vendor Security Alliance (VSA)
Unlike other questionnaires, the VSA assessment process was created with the vendor in mind. Its focus is to eliminate irrelevant questions, reducing the time it takes for InfoSec and security teams to complete the questionnaire.
The VSA-Core questionnaire focuses on security and privacy principles and practices. From a security perspective, it does not go into the same depth as the VSA-Full questionnaire, but it does add the Privacy section that covers the core principles of USA data breach laws, the California Consumer Privacy Act, and GDPR.
The VSA/VSA Lite is for your organization if it:
- Is concerned with Vendor experience as the questionnaire focuses on eliminating irrelevant questions, reducing the time it takes for InfoSec and security teams to complete the questionnaire.
California Consumer Privacy Act
The California Consumer Privacy Act gives consumers more control over personal information collected by businesses. The CCPA regulations provide businesses guidance on how to comply with the law, while also ensuring any third party that processes personal information complies as well.
CCPA is right for your business if it:
- Handles personal information for citizens of California
- Is in the business of reselling personal information
Minimum Viable Secure Product
The Minimum Viable Secure Product is a collaborative baseline developed by a number of top tech companies including Google, Salesforce, Okta, Slack, and others focused on developing a set of minimum security requirements for B2B software and business outsourcing suppliers. The questionnaire contains only controls that must be implemented to ensure a reasonable security posture.
MVSP is right for your business if it:
- Is looking for a baseline to evaluate multiple software products
- Wants to conduct a high live review prior to a detailed technical control review
Data Protection Impact Assessment
The Data Protection Impact Assessments (DPIA) is a recent requirement under GDPR as part of the “protection by design” principle. As outlined in Article 35, the GDPR requires DPIAs to contain the following elements:
- A description of the planned processing operations and the purposes of the processing
- An assessment of the necessity of the processing operations in relation to the purposes
- An assessment of the risks to the rights and freedoms of data subject
DPIA is right for your business if it:
- Is subject to GDPR
- Is beginning a data processing activity that is likely to involve “a high risk” to other people’s personal information.
Transfer Impact Assessment
According to a July 2020 ruling in the European Court of Justice, the Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements. Most Standard Contractual Clauses bind both parties in relation to them processing data, but they do not bind a third party if that data were to be transferred. The ruling states the exporter must verify “on a case by case” basis what protections apply with that third party. The Transfer Impact Assessment clarifies an organization’s risks when transferring data to countries that aren’t bound by GDPR.
TIA is right for your business if it:
- Plans on sharing data with a third party and need to identify risks surrounding the transfer
- Engaging third parties that have operations in countries that are not bound by GDPR
SOC 2 Readiness Assessment
Whistic’s SOC 2 Readiness Assessment is designed to help businesses gauge their preparedness for a SOC engagement and helps address any issues that need to be fixed before the actual SOC 2 Audit.
The SOC 2 Readiness Assessment is right for your business if it:
- Is preparing for a SOC 2 audit and wants to know how prepared you are before you begin the actual audit
- Wants to assess third parties compliance to SOC2 prior to them obtaining an actual SOC2.
Prudential Standard CPS 234
Prudential Standard CPS 234 is a regulatory standardization measure released by APRA (Australian Prudential Regulation Authority) that aims to ensure all APRA-regulated organizations take clear steps to protect themselves from security threats and vulnerabilities. While this regulation may sound straightforward, taking steps to prepare for and protect against security incidents is already a key responsibility of InfoSec teams. Organizations wishing to remain compliant must follow the guidelines outlined by CPS 234.
Organizations impacted by CS 234 include:
- Deposit-taking organizations, including foreign institutions with an Australian presence
- General insurers, non-operating holding companies, and parent entities of insurance groups
- Life companies and eligible foreign life insurance companies
- Private health insurers
- Other eligible licensees and select operators
Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act of 1996, or HIPAA, is a series of regulatory standards that outline the lawful use and disclosure of protected health information (PHI). HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).
HIPAA regulation identifies two types of organizations that must be HIPAA compliant.
- Covered Entities: Any organization that collects, creates, or transmits PHI electronically. Health care organizations that are considered covered entities include health care providers, health care clearinghouses, and health insurance providers.
- Business Associates: Any organization that encounters PHI in any way over the course of work that it has been contracted to perform on behalf of a covered entity. Common examples include: billing companies, practice management firms, third-party consultants, IT providers, physical storage providers, cloud storage providers, email hosting services, and accountants.
NIST SP 800-53
NIST SP 800-53 provides an exhaustive catalog of controls designed to make systems more resilient. These controls are fully operational and technical and designed to create management safeguards that can then be used by various information systems. The standard seeks to promote integrity, confidentiality, availability, and security of information systems.
NIST SP 800-53 does this by defining 18 different sections of what it calls the NIST SP 800-53 security control family.
NIST IP 800-53 is right for your business if:
- You plan on selling into the government space and need to self assess
- You are a federal contractor handling CUI (Controlled Unclassified Information)
PCI DSS 3.2
The Payment Card Industry Data Security Standards (PCI DSS) is an information security and data security standard for organizations that handle branded credit cards from the major card schemes.
Five major credit card companies—Visa, MasterCard, Discover, American Express, and JCB—came together and established the Payment Card Industry Security Standards Council (PCI Security Standards Council or PCI SSC) to administer and manage security standards for companies that handle credit card data.
PCI DSS 3.2 is right for your business if it:
- Accepts or processes payment cards
- Wants to self assess with a plan to obtain a formal PCI certification
How Whistic can help
Whistic is a leading provider of proactive vendor security and is changing the way companies evaluate their vendors and build trust with their customers.
- If you’re a buyer, the Whistic Trust Catalog enables you to perform zero-touch assessments of your vendors in minutes—not weeks.
- If you’re a seller, you can reuse the work you’ve done completing security assessments and share that information over and over again.
Make security your competitive advantage and join customers like Airbnb, Okta, Betterment, Vonage, and Qualtrics by modernizing and automating your vendor security program with Whistic.
Learn more about the latest vendor security trends and processes by downloading our ebook, The 2022 State of Vendor Security.