One of the biggest headaches InfoSec and third-party risk management teams deal with when responding to security questionnaires is the sheer amount of time it takes to fill them out. This is because there isn’t a consensus on which questionnaire should be used, and as a result, most questionnaires, 71% according to RiskRecon, are custom, many of which have hundreds of questions.
Eventually, there will be a standard set of questions for every industry, but we recommend using standard questionnaires whenever possible until that time comes. While every business is different and may require some additional questions and follow up, most security concerns can be answered by one of the many standard questionnaires available to you.
Relying on standard questionnaires means responses will likely be faster, resulting in shorter buying and selling cycles and the ability for teams to utilize critical applications needed to run your business sooner rather than later. Because there are so many questionnaires available, it can be difficult to know which one will be best for your business. To help you out, we’ve outlined a few things to consider when making your decision, along with a brief primer on some of the more popular questionnaires.
Things to consider when evaluating questionnaires
- How experienced are you with vendor security assessments? Whether you have a robust program to assess third party risk or you’re just getting started, there’s a questionnaire for you.
- Where are your business and customers located? There are laws in some countries or states that require you to meet certain security standards to handle private customer data.
- What industry are you in? While not every industry has a questionnaire dedicated to them, some like higher education or government, for example, do.
- Are you working toward a particular certification or compliance standard? Some questionnaires are helpful and necessary when you’re working toward earning security certifications or trying to achieve compliance in certain areas.
Tips for responding to security questionnaires
It’s no secret that responding to questionnaires can be tedious and time-consuming, but the process should improve greatly if you follow these tips.
- Build a library of answers. While each questionnaire might be different, that doesn’t mean the answers from one won’t be relevant and applicable to another. Having a library of answers in place will help you respond to questionnaires more quickly and efficiently.
- Save and reuse standard questionnaires. One of the biggest benefits of adopting standardized questionnaires is that they can be used repeatedly with minimal editing, saving the third party risk management team time they can use to focus on mitigating risk as opposed to completing administrative tasks.
- Keep your security certifications up-to-date. A surefire way to quickly build trust with a prospect is by including current security certifications with your questionnaires to show how deep your commitment to security is.
- Utilize technology to streamline the process. With the large number of vendor assessments most businesses have to manage, spreadsheets just won’t cut it anymore. Utilizing a vendor risk management platform that enables you to quickly build, respond, and manage assessments throughout the process is a must-have for teams that strive to be more efficient.
Read The Ultimate Guide to Vendor Risk Management
The current processes for managing and assessing vendor risk and security are manual and outdated—but it doesn’t have to be that way. We go over best practices to modernize your vendor risk assessment program to take it to the next level.
Picking the right standard questionnaire
Consensus Assessments Initiative Questionnaire (CAIQ)
The CAIQ is a security questionnaire created by the Cloud Security Alliance. It provides industry-accepted procedures to document security controls in IaaS, Paas, and SaaS solutions. The CAIQ was designed to help organizations determine whether a cloud provider’s services are sufficiently secure. The questionnaire does this through a series of yes or no questions to help determine compliance to the Cloud Controls Matrix.
The Cloud Security Alliance also provides a shorter, more targeted form of the CAIQ questionnaire (CAIQ Lite) that brings to light the security posture of cloud providers for a key set of controls.
The CAIQ/CAIQ-Lite is right for your organization if it:
- Uses cloud-based applications.
- Stores sensitive information in cloud-based applications.
- Sees value in aligning to a widely used, industry-recognized framework.
Center for Internet Security (CIS)
The CIS Critical Security Controls are a prioritized set of actions for cybersecurity that form a defense-in-depth set of specific and actionable best practices to mitigate the most common cyber attacks. CIS Controls help security teams prioritize and focus on a small number of actions that greatly reduce cybersecurity risk.
The CIS First 5 or top-20 is right for your organization if it:
- Doesn’t have a comprehensive methodology or set of security requirements for your vendors.
- Is looking to take the first step in assessing security within your vendor population.
- Needs to determine the most critical areas to establish a risk management program.
General Data Protection Regulation (GDPR)
The GDPR is a privacy law that applies to the processing, storage, and exposure of personally identifiable information of European citizens. Although it was passed by the EU, it applies to any organization that handles private information of those who reside in the EU. Penalties for violating the law are steep, with fines up to €20M or 4% of global revenue—whichever is higher.
The GDPR is right for your organization if it:
- Handles personal data of EU citizens at any point.
- Has operations within the EU borders.
- Has more than 250 employees or has frequent data processing that impacts the rights and freedoms of EU citizens.
- Intends to do business with a citizen of the EU.
Higher Education Cloud Vendor Assessment Tool (HECVAT)
HECVAT is a security framework created by the Higher Education Security Council and is designed specifically for higher education organizations to assess vendor risk. HECVAT helps determine whether a SaaS vendor has the cybersecurity policies and procedures in place to protect the personal information of students and employees. In addition to the HECVAT, there is also a shorter lite version and is designed to focus on the most common risk factors.
HECVAT or HECVAT Lite is right for your organization if it:
- Is a college or university.
- Needs to identify and manage risks to the university, campus, and student body from third and fourth parties.
- Is a third-party service provider that wants to contract with colleges and universities.
International Organization for Standardization (ISO)
The ISO 27001 is a security framework designed to run risk assessments and audits for InfoSec and vendor teams. It utilizes a systematic approach to vendor risk management and can be used to identify gaps in security processes while providing a framework to help teams proactively address or even prevent security threats or compliance gaps from occurring.
ISO 27001 is right for your organization if it is:
- Working toward a formal ISO certification.
- Looking to design and implement a coherent and comprehensive set of information security controls.
- Looking to adopt a management process to ensure that controls meet its information security requirements on an ongoing basis.
National Institute of Standards and Technology (NIST)
NIST is a government-focused security framework. The SP 800–171 framework focuses on how government agencies (including the Department of Defense) handle the sharing and access of Controlled Unclassified Information (CUI). This information is protected and highly sensitive but isn’t directly regulated by any government agency, making it unclassified.
NIST SP 800-171 is for your organization if it is:
- Already using NIST SP 800-53 within your organization or looking to align to it
- Working toward a FISMA or FedRAMP compliance
- A vendor looking to sell into the government or Department of Defense
Standardized Information Gathering (SIG)
The SIG (Standard Information Gathering) questionnaire family is released by Shared Assessments and addresses multiple areas of risk across many use cases, making it an easily adaptable and relatively flexible framework for many InfoSec teams. Additionally, the original SIG framework has been re-released multiple times as a CORE and LITE questionnaire to make it more appealing to smaller, on-the-go security teams. The original SIG questionnaire evaluates 18 risk controls and is a good bet for teams looking to complete more complex RFPs, conduct self-assessments or audits, or determine a broader scope of risk security.
The SIG LITE questionnaire distills the larger, more complex SIG assessment concepts into a few easily manageable questions, making it the ideal assessment to see whether or not a further review is needed.
SIG CORE is a unique approach to the original SIG assessment. It offers InfoSec teams a library of questions to choose from to create their own unique questionnaire with vendors.
The SIG family of questionnaires is right for your organization if it:
- Has to respond to complex RFPs.
- Conducts self-assessments or audits.
- Needs to determine a broader scope of risk security.
Vendor Security Alliance (VSA)
Unlike other questionnaires, the VSA assessment process was created with the vendor in mind. Its focus is to eliminate irrelevant questions, reducing the time it takes for InfoSec and security teams to complete the questionnaire.
The VSA-Core questionnaire focuses on security and privacy principles and practices. From a security perspective, it does not go into the same depth as the VSA-Full questionnaire, but it does add the Privacy section that covers the core principles of USA data breach laws, the California Consumer Privacy Act, and GDPR.
The VSA/VSA Lite is for your organization if it:
- Is concerned with Vendor experience as the questionnaire focuses on eliminating irrelevant questions, reducing the time it takes for InfoSec and security teams to complete the questionnaire.
How Whistic can help
Whistic is a leading provider of proactive vendor security and is changing the way companies evaluate their vendors and build trust with their customers.
- If you’re a buyer, the Whistic Trust Catalog enables you to perform zero-touch assessments of your vendors in minutes—not weeks.
- If you’re a seller, you can reuse the work you’ve done completing security assessments and share that information over and over again.
Make security your competitive advantage and join customers like Airbnb, Okta, Betterment, Vonage, and Qualtrics by modernizing and automating your vendor security program with Whistic.
Learn more about how to modernize your vendor security process by downloading our ebook, The Ultimate Guide to Vendor Assessments.