6 of the Top Questionnaires for IT Vendor Assessments

By Phoebe Fasulo

Posted on Mar 2, 2020

Trust is essential in every good business partnership, but knowing whether your vendors merit that trust can be difficult. With the recent boost in information technology (IT) services, the avenues for which trust can be broken, either intentionally or unintentionally, have increased.

One way to ensure that information technology service providers are abiding by appropriate security practices so your company can weigh the risk of entrusting them with its critical data is through vendor security assessment questionnaires. However, as more information security questionnaires are being introduced to the market, it can be a challenge for a business to decide what vendor assessment structure to utilize, at which time, and for what vendor.

At SecurityScorecard, protecting your organization’s vulnerabilities and security gaps is our job and passion. That’s why we’ve compiled this list of the top six questionnaires to use to guarantee your company’s data is protected.

Here are six of the top questionnaires for IT vendor assessments:

1. Center for Internet Security – CIS Critical Security Controls (CSC)

The Center for Internet Security (CIS) is a pioneering, not-for-profit entity that uses the power of a worldwide IT community to ensure that private and public organizations are safe from cyber threats.

The Center for Internet Security offers 20 controls to provide guidelines for how to adequately address security systems and the flow of sensitive data when warding off cybersecurity threats. Since the CIS controls are rooted in a deep understanding of the cyber-attacks lifecycle, they thoroughly address the most common indications of these dangers and how to accordingly adjust combative processes.

The CIS Controls offers more than 150 questions mapped to incorporate a widely-recognized set of cybersecurity standards.

2. National Institute of Standards and Technology (NIST)

The National Institute of Standards and Technology (NIST) uses realistic privacy and cybersecurity through the outreach and implementation of standards and best practices that are necessary for the United States to adopt cybersecurity competence.

The NIST Special Publication 800-53 is a list of guidelines and standards to help federal agencies and contractors meet the requirements set by the Federal Information Security Management Act (FISMA). Their objective is to provide a holistic approach to risk management and cybersecurity by offering organizations with a wide range of security controls to vastly strengthen their information systems and the environments in which those systems operate.

3. Payment Card Industry Data Security Standards Council (PCI SSC)

Founded in 2006 by the five top credit card providers, including Mastercard, Visa, Discover, Amex and JCB International, the PCI Security Standards Council (PCI SSC) is a global forum that unifies payments industry stakeholders to develop and drive the adoption of data security resources and standards for safe payments all over the world. Their standards were created to increase controls around credit card holder data to decrease credit card fraud.

4. Shared Assessments Group

The Shared Assessments Program is “the trusted source for third party risk management.” They offer organizations with a breadth of resources, tools, and best practices to efficiently manage the important components of the vendor risk management lifecycle.

Their SIG questionnaire is a holistic tool for risk management assessments of IT, cybersecurity, data security, business resiliency, and privacy in an IT environment.

5. Vendor Security Alliance

The Vendor Security Alliance (VSA) is a non-profit that is dedicated to improving general internet security and vendor-related cyber threats. A coalition of companies, they recognize the criticality of community and the need for widespread awareness in combating these ever-evolving digital threats.

The Vendor Security Alliance Questionnaire (VSAQ) was first published in 2016 to help companies vet their supplier’s security practices. It is made up of six sections and addresses security policy, data protection, reactive security measures, compliance, and supply chain management. Their questionnaire was created with the vendor in mind and focuses on eliminating unnecessary friction during the security review procedure.

6. General Data Protection Regulation (GDPR)

The General Data Protection Regulation is a regulation in European law on data protection and privacy. Their vendor questionnaire was created to help businesses ensure that their cloud suppliers will be compliant and process data in a compliant method.

How SecurityScorecard can help

The traditional IT vendor questionnaire process can be arduous, even when utilizing one of the frameworks discussed above. Fortunately, SecurityScorecard Atlas can help accelerate and modernize this process by enabling senders and receivers to easily manage, complete, and review questionnaires and evidence in one secure central repository.

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!