Sample Third-Party Cyber Risk - Self-Assessment Questionnaire

Since delivering the Third-Party Vendor Cyber Risk Assessment workshop earlier in the year, I’ve been inundated with requests for the sample questionnaire I used for the session.

A copy of the *sample questionnaire is enclosed at the end of this post, and here’s a process a Cyber Analyst may undertake in the workplace to complete a third-party vendor cyber risk assessment using a similar questionnaire:

  • the spreadsheet would be sent to a third-party vendor for them to score themselves (i.e. Self-assessment)  in cells A of the worksheet named ‘Questionnaire’.
  • the ‘Scorings’, ‘Bar chart’ (and/or newly added ‘Radar chart’) worksheets would be hidden from the vendor’s view but would be automatically populated as the vendor completes their self-assessment.

Once completed and returned, the IT or Cyber Analyst or IT would:

  • unhide all hidden worksheet(s)
  • analyse each risk score against their company’s risk tolerances e.g. under ‘Accreditation and Compliance’ (cell A103), the sample company has scored 75% as they are not ISO 27001 accredited (0 score in cell A99); if the Analyst’s company only works with vendors accredited to ISO 27001 standards, the question needs to be raised as to whether this vendor is within tolerance despite being accredited to Cyber-Essentials and PCI-DSS standards.
  • request for further information from the third-party vendor if required (including evidence to back up the scorings if required). Some firms may decline to provide copies of their private internal policies and procedures, and only provide selective evidence such as SOC2 Reports, summary external audit reports and ongoing/completed remediation work on audit findings).
  • reach a decision with internal stakeholders on whether to onboard the third-party vendor or not (the business owner may essentially choose to accept the risk posed by the vendor’s lack of ISO27001 accreditation in lieu of other accreditations held and other high risk ratings in the self-assessment overall.

If assurance is being sort from a critical vendor providing essential applications, systems, processes or services to the business, assurance could be sought annually with a subset of these questions asked each year to ensure the company’s cybersecurity risk controls remain within the tolerance set by the commissioning company’s senior management team or board.

*Most companies will have their own questionnaires or alternative processes, systems or tools to seek assurance their third-party vendors (and increasingly fourth-parties) have adopted and are maintaining effective Cybersecurity and IT risk management controls; this questionnaire is purely an example of some  questions a company may choose to ask vendors.

Good practice dictates that each firm should tailor and send out questionnaires that are commensurate to the services being procured, and in accordance to the risk that each third-party might pose to its information assets and privacy obligations.

Finally, a self-assessment questionnaire is one of many tools used to comply with our due diligence obligations as cybersecurity professionals, to ensure we only onboard third-party vendors who provide the same degree of protection to our client’s, employees and company’s information assets as we do.

Download the read-only sample questionnaire below and please feel free to contact/connect with me through my LinkedIn profile with any questions.

Sample Third-Party Vendor’s – Self-Assessment Cyber Risk Scoring

Follow the Ladder Back Down on LinkedIn and  YouTube.


Leave a Reply