Since delivering the Third-Party Vendor Cyber Risk Assessment workshop earlier in the year, I’ve been inundated with requests for the sample questionnaire I used for the session.
A copy of the *sample questionnaire is enclosed at the end of this post, and here’s a process a Cyber Analyst may undertake in the workplace to complete a third-party vendor cyber risk assessment using a similar questionnaire:
- the spreadsheet would be sent to a third-party vendor for them to assess and score themselves (i.e. a self-assessment) in column A of the worksheet named ‘Questionnaire’.
- the ‘Scorings’, ‘Bar chart’ (and/or newly added ‘Radar chart’) worksheets would be hidden from the vendor’s view but the scorings would be automatically populated as the vendor completes their self-assessment.
Once completed and returned by the vendor, the IT or InfoSec Analyst would:
- unhide all hidden worksheet(s)
- analyse each risk score against their company’s risk tolerances e.g. under the ‘Accreditation and Compliance’ cell A103, the sample company has scored 75% as they are not ISO 27001 accredited (0 score in cell A99); if the Analyst’s company only works with vendors accredited to ISO 27001 standards, the question needs to be raised as to whether this vendor is within tolerance (despite being accredited to Cyber-Essentials and PCI-DSS standards).
- ask for further information from the third-party vendor if required (including evidence to back up the scorings). Note that some firms may decline to provide copies of their private internal policies, procedures pen-test reports etc., and may only provide selective evidence such as SOC2 Reports, summary external audit reports and evidential notes of ongoing/completed remediation work on audit findings.
- advise internal stakeholders and provide them with critical guidance to reach an informed decision on whether to onboard the third-party vendor or not (the risk owner may essentially choose to accept the risk posed by the vendor’s lack of ISO27001 accreditation in lieu of other accreditations held and other risk ratings in the self-assessment overall); do not take any risk decisions taken against your professional advise personally as it’s not about you or I – it’s about the business!!!
If assurance is being sought from a critical vendor providing essential applications, systems, processes or services to the business, repeated assurance could be sought annually with a subset of these questions asked each time to ensure the company’s cybersecurity risk controls remain within the tolerance set by your company’s senior management team or board.
*Most companies will have their own questionnaires or alternative processes, systems or tools to seek assurance their third-party vendors (and increasingly fourth-parties) have adopted and are maintaining effective Cybersecurity and IT risk management controls; this questionnaire is purely an example of some questions a company may choose to ask vendors.
Good practice dictates that each firm should tailor and send out questionnaires that are commensurate to the services being procured, and in accordance to the risk that each third-party might pose to its information assets and privacy obligations.
Finally, a self-assessment questionnaire is one of many tools used to comply with our due diligence obligations as cybersecurity professionals, to ensure we only onboard third-party vendors who provide the same degree of protection to our clients’, employees and company’s information assets as we do.
Also, do remember we may also be required to complete due-diligence questionnaires (DDQ’s) on behalf of our organisation for companies we may provide services to.
Download the read-only sample questionnaire below and please feel free to contact/connect with me through my LinkedIn profile with any questions.