What to Expect in Your Next Vendor Security Questionnaire

BLOG 5 MINS December 10, 2020
What to Expect in Your Next Security Questionnaire

According to a CefPro research study, 90% of organizations use security questionnaires to evaluate their vendors. These security questionnaires help when conducting due diligence on new vendors, third parties, and suppliers – and also when reevaluating existing relationships.  

Because security questionnaires are so common, the teams responding to them are often overwhelmed with requests. What’s more, these questionnaires are usually custommeaning each has unique questions and different terminologyThese differences add complexity to the response process.  

 However, there are commonalities across every security questionnaire that you’re likely to receive. So, what can you expect when you receive your next security questionnaire?  

 1. The Security Questionnaire Will Likely Be Custom with Unique Questions 

While some organizations choose to standardize on a common industry framework, most prefer to use custom questionnairesIn fact, the same CeFPro research study mentioned above found that 84% of security questionnaires are considered an “in-house assessment 

So, what does this mean for you? Without software to automatically answer custom security questionnairesyour team is likely to spend days (sometimes weeks) completing a single questionnaire.  

 2. The Security Questionnaire Will Likely Be Based on a Common Industry Framework 

Many organizations don’t start from scratch when building their questionnaire. Still, while most questionnaires are considered custom, the majority of them are actually based on an industry standard. In practice, the most common industry-standard questionnaires used as a foundation for a security questionnaire are the following:  

  • SIG Lite 
  • SIG Core 
  • ISO 27001 
  • ISO 27701 
  • NIST SP 800-53 
  • GDPR Cross-Border Transfer Assessment  
  • NOYB Model Request to U.S. Importers with SCCs 

Building an answer library using an industry-standard questionnaire as your guide can be a good first step to streamlining responses for custom questionnaires. 

3. The Security Questionnaire Will Address Numerous Risk Domains  

Security questionnaires you receive will likely segment their questions into different sections. The most common sections follow critical risk domains, including: 

  • Risk Management 
  • Security Policy 
  • Organizational Security 
  • Asset and Info Management 
  • Human Resource Security 
  • Physical and Environmental Security 
  • Operations Management 
  • Access Control 
  • Application Security 
  • Incident Event and Communications Management 
  • Business Resiliency 
  • Compliance 
  • End User Device Security 
  • Network Security 
  • Privacy 
  • Threat Management 
  • Server Security 
  • Cloud Hosting 

The risk domains mentioned above are explicitly covered in the Shared Assessments SIG Lite and SIG Core questionnaires.  

 4. The Security Questionnaire Will Likely Require Evidence  

While most organizations rely on security questionnaires, that doesn’t mean a “yes” or “no” answer will be enough. Be prepared to provide evidence to support your answers. This evidence is likely available within the following documents:  

  • SOC Report 
  • Certificate of Insurance 
  • ISO Certifications 
  • Employee Handbook 
  • Internal Policies and Procedures 
  • Technical or Organizational Measure

5. The Security Questionnaire May Require Further Validation 

If your organization is considered mission-criticalor if your organization handles sensitive data, then you can also expect that the security questionnaire that you complete will also require some sort of validation. This validation is typically conducted via a remote or onsite audit and may include the actual testing of the security controls you have in place.  

Automatically Answer Your Next Incoming Vendor Security Questionnaire  

In helping thousands of companies roll out their third-party risk management (TPRM) programs, we realized how vital it is to make it easy for vendors to respond to security questionnaires. As a result, we built our Questionnaire Response Automation technology to help organizations answer vendor security questionnaires faster.  

With OneTrust Vendorpedia Questionnaire Response Automation, you can answer hundreds of questions in secondsThe tool leverages OneTrust Athena™ AI, Natural Language Processing (NLP) and Machine Learning (ML) to match answers in your library with any custom questionnaire you receive.  

Interested in seeing how it works? Start today with the free tool to automatically answer your next questionnaire in seconds, not days or weeks. 

Onetrust All Rights Reserved