Vendor Security Assessment Questionnaire

Comprehensive security questionnaire to send to your vendors. Covers all SOC 2 trust service criteria. This free, professionally written template from Proveably is ready to download in multiple formats and customise for your organisation. No account required.

80-question vendor security assessment covering data protection, access controls, network security, incident response, business continuity, and compliance. Ready to send as-is or customize.

soc2 iso27001
600 words ~15 min read 0 downloads Free
Link copied!
Free

No account required

Browse All Templates
Categoryvendor_questionnaire
Formatmarkdown
Downloads0

Why You Need This Vendor Security Assessment Questionnaire

A well-documented Vendor Security Assessment Questionnaire is essential for organisations pursuing compliance certifications and building trust with customers, partners, and auditors. Without formal documentation, your organisation faces several risks:

  • Audit failures — Auditors specifically check for documented policies. A missing or incomplete vendor_questionnaire is one of the most common reasons organisations fail SOC 2, ISO 27001, or other compliance audits.
  • Security gaps — Without clear guidelines, employees and contractors may follow inconsistent security practices, creating vulnerabilities.
  • Regulatory exposure — Many regulations (GDPR, HIPAA, PCI DSS) require documented policies. Non-compliance can result in fines and legal liability.
  • Lost business opportunities — Enterprise customers increasingly require vendors to demonstrate formal security policies before signing contracts.

This Proveably template gives you a professional starting point that covers industry best practices and maps directly to compliance framework requirements.

Compliance Framework Requirements

This template is designed to satisfy requirements from the following frameworks:

soc2

This template addresses key soc2 control requirements with pre-mapped sections and audit-ready language.

iso27001

This template addresses key iso27001 control requirements with pre-mapped sections and audit-ready language.

Specifically mapped control codes: CC9.2, A.15.1, A.15.2

Template Preview

# Vendor Security Assessment Questionnaire **Vendor Name**: ________________________ **Completed By**: ________________________ **Date**: ________________________ **Assessment Tier**: ☐ Critical ☐ High ☐ Medium ☐ Low --- ## Instructions Please answer each question honestly and provide supporting documentation where requested. "N/A" is acceptable where a control does not apply to the services provided. --- ## Section 1: Organization & Governance 1. Do you have a formal information security policy? ☐ Yes ☐ No 2. Is there a designated CISO or equivalent security leader? ☐ Yes ☐ No 3. Do you conduct annual security awareness training for all employees? ☐ Yes ☐ No 4. Do you have a formal risk management program? ☐ Yes ☐ No 5. Is your company publicly traded or backed by institutional investors? ☐ Yes ☐ No ## Section 2: Compliance & Certifications 6. Do you hold SOC 2 Type II certification? ☐ Yes ☐ No — If yes, please provide report. 7. Do you hold ISO 27001 certification? ☐ Yes ☐ No — If yes, provide certificate. 8. Do you hold any other relevant certifications? (HIPAA, PCI DSS, FedRAMP, etc.) _____________________________________________________________ 9. When was your last external security audit? ________ 10. Are there any outstanding audit findings? ☐ Yes ☐ No ## Section 3: Data Handling 11. What types of data will you process for us? ☐ PII ☐ PHI ☐ Financial ☐ IP ☐ Business confidential ☐ Public only 12. In which countries/regions will our data be stored? ________ 13. Do you encrypt data at rest? ☐ Yes ☐ No — Algorithm: ________ 14. Do you encrypt data in transit? ☐ Yes ☐ No — Protocol: ________ 15. Do you have a data retention and disposal policy? ☐ Yes ☐ No 16. Can you provide data deletion upon contract termination? ☐ Yes ☐ No 17. Do you use sub-processors? ☐ Yes ☐ No — If yes, please list. ## Section 4: Access Control 18. Do you enforce multi-factor authentication? ☐ Yes ☐ No 19. Do you follow least-privilege access principles? ☐ Yes ☐ No 20. How frequently do you conduct access reviews? ☐ Quarterly ☐ Semi-annually ☐ Annually ☐ Never 21. Do you have a formal onboarding/offboarding process for access? ☐ Yes ☐ No 22. Is privileged access logged and monitored? ☐ Yes ☐ No 23. Time to revoke access upon employee termination: ☐ Same day ☐ 24h ☐ 48h ☐ Other ## Section 5: Network & Infrastructure 24. Do you use a Web Application Firewall (WAF)? ☐ Yes ☐ No 25. Do you perform regular vulnerability scanning? ☐ Yes ☐ No — Frequency: ________ 26. Do you perform annual penetration testing? ☐ Yes ☐ No 27. Do you have DDoS protection? ☐ Yes ☐ No 28. Do you segment your network? ☐ Yes ☐ No 29. Do you have intrusion detection/prevention systems? ☐ Yes ☐ No ## Section 6: Incident Response 30. Do you have a formal incident response plan? ☐ Yes ☐ No 31. How quickly will you notify us of a security incident? ☐ 24h ☐ 48h ☐ 72h ☐ Other 32. Have you experienced a data breach in the last 3 years? ☐ Yes ☐ No 33. Do you conduct incident response tabletop exercises? ☐ Yes ☐ No — Frequency: ________ ## Section 7: Business Continuity 34. Do you have a business continuity plan? ☐ Yes ☐ No 35. What is your committed uptime SLA? ________% 36. RTO: ________ hours | RPO: ________ hours 37. Do you test your DR plan? ☐ Yes ☐ No — Frequency: ________ 38. Do you use multi-region/multi-AZ deployment? ☐ Yes ☐ No ## Section 8: Development Practices 39. Do you follow a SDLC (Software Development Lifecycle)? ☐ Yes ☐ No 40. Do all code changes require peer review? ☐ Yes ☐ No 41. Do you perform automated security testing in CI/CD? ☐ Yes ☐ No 42. Do you maintain a Software Bill of Materials (SBOM)? ☐ Yes ☐ No ## Section 9: Insurance 43. Do you carry cyber liability insurance? ☐ Yes ☐ No — Coverage: $________ 44. Do you carry errors & omissions insurance? ☐ Yes ☐ No --- **Vendor Signature**: ________________________ **Date**: ________________________ *Please attach: SOC 2 report, ISO certificate, insurance certificate, privacy policy, and DPA (if applicable).*

Frequently Asked Questions

A Vendor Security Assessment Questionnaire is a formal questionnaire that comprehensive security questionnaire to send to your vendors. covers all soc 2 trust service criteria. It provides a structured framework for organisations to document and enforce security and compliance requirements.
Yes. Proveably provides this Vendor Security Assessment Questionnaire template completely free of charge. You can download it in Markdown, PDF, Word, Excel, or plain text format — no account required.
This questionnaire is mapped to soc2, iso27001. It includes the specific control references and requirements needed to satisfy auditor expectations for these frameworks.
Download the template in your preferred format, then customise the bracketed placeholder sections with your organisation's specific details. Review with your security team or compliance officer, get management approval, and distribute to relevant staff. Proveably recommends reviewing and updating this questionnaire at least annually.
Absolutely. This template is designed as a starting point. All sections should be tailored to your organisation's size, industry, and specific compliance requirements. The placeholder text indicates sections that require customisation.

Tags

vendor questionnaire assessment due-diligence popular

Automate Your Compliance

Go beyond templates. Proveably automates evidence collection, continuous monitoring, and audit preparation for SOC 2, ISO 27001, and more.

Start Free Trial

Report a Bug

Help us improve by reporting issues

Screenshot
Page:
Browser:
Time:

Bug Report Submitted

Thank you! We'll investigate this issue.