Why More Businesses Should Adopt Standard Questionnaires

May 04, 2021

OneTrust’s announcement that it is acquiring Shared Assessments, author of the Standardized Information Gathering (SIG) questionnaire, further validates Whistic’s stance of the importance of businesses adopting standard questionnaires and industry frameworks to identify and eliminate risks across your organization.

In the announcement, Whistic CEO Nick Sorenson stated, “The third-party risk industry is in need of more collaboration to drive innovation and this announcement represents a bold move in that direction. Reliance on standards like the SIG makes establishing trust and transparency easier for both buyers and sellers in the Whistic ecosystem and across the industry in general. As a long-time Shared Assessment Member and Licensee, I’m confident that this acquisition will help accelerate this trend and benefit all of us.” 

 

Trends show businesses are adopting standard questionnaires 

While it’s true that each business has a unique tolerance for risk, that doesn’t mean the questionnaires used to assess vendors need to be unique as well. One or a combination of the many industry frameworks and standard questionnaires available should provide enough information for you to begin the review. Then you can incorporate custom risk ratings and review methodologies to evaluate potential vendors.

Recent research by Whistic found that only 13% of respondents were using just standard questionnaires to assess vendors, while 57% used a mix of custom and industry standard questionnaires, and 27% use just custom questionnaires. However, 48% indicated they were considering adopting standard questionnaires in the near future.

One thing that may be holding some businesses back from diving headfirst in using standard questionnaires is currently no consensus exists on which standard questionnaires should be used. With that being said, we still believe you can get all the information you need to assess risk in your organization from standard questionnaires and industry frameworks. Let's delve into the reasons why you should consider using standards to assess your vendors.

 

Standard questionnaires have been vetted and proven effective

Standard questionnaires like the SIG, CAIQ, and VSA were created by organizations whose sole focus is helping businesses identify risk and keep data secure. A lot of time and research went into determining which security controls to have in place, how to prioritize your assets, the frequency with which you need to train your employees on security policies and procedures, among other things.

 

Stay informed about potential weaknesses in your environment

The 2021 State of Vendor Security found the primary reason businesses started assessing their vendors was to stay in front of potential breaches. Standard questionnaires ensure you have done the necessary due diligence to vet vendors and identify risks before allowing them into your environment and provide them access to your data.

 

Vendors are more familiar with standard questionnaires

One of the biggest reasons businesses should consider adopting standard questionnaires is it will likely increase the speed at which vendors respond to assessment requests. It also enables those vendors to proactively share their security posture with you early in the sales cycle because they will know the information they compiled meets your needs. 

In fact, 82% of InfoSec professionals surveyed for the 2021 State of Vendor Security stated they would be willing to use on-demand, standard questionnaires to begin the assessment process. What that means for your business is assessments could be conducted in days—not weeks—and your key stakeholders would have access to the critical applications needed to run your business more quickly.

 

Utilizing standard questionnaires in Whistic

Whistic simplifies the vendor assessment process. The tool has 15 pre-built standard questionnaires and industry frameworks ready to use out-of-the-box that help you ditch spreadsheets and email and start implementing an automated, fully customizable process.

If you do decide to utilize a standard questionnaire, it’s as easy as hitting a share button in the dashboard. Once the questionnaire is returned from the customer, it’s time to start reviewing the responses. Whistic enables you to invite and collaborate with all the key stakeholders in your organization and helps you compile a report that can be shared with executives or the KDM to make the final decision on the vendor.


To learn more about how Whistic Vendor Security can help your business, visit whistic.com/vendor-security.

information security security questionnaires standards vendor risk assessment vendor security review vendor security management

About the author

Whistic
Whistic

The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.

Close