5 Top Questionnaires to Assess Vendor Cybersecurity in 2019

The 5 Top Questionnaires to Assess Vendor Cybersecurity in 2019

Third-party risk management, or TPRM, can be a time consuming task for any organisation – but it’s critical that you get it right. Developing a bespoke risk assessment process that is tailored specifically to the threats posed by your vendors will help ensure your organisation’s cybersecurity preparedness and the protection of its critical assets.

You can do this by requiring each of your vendors to complete a security questionnaire.

If you’re not sure where to start, don’t worry. When it comes to selecting the right questionnaire to use for each of your vendors, there are many options available to you. You can create a new questionnaire for each vendor, you can re-use existing questionnaires, or you can take advantage of best-practice guidance created by a number of industry-leading organisations.

To help you get started in developing or improving your TPRM program, we’ve compiled a list of five of the top cybersecurity questionnaires used in IT vendor security assessments in 2019, in alphabetical order.

1. Center for Internet Security — CIS Critical Security Controls (CSC)

2. Cloud Security Alliance — Consensus Assessments Initiative Questionnaire (CAIQ) ​

3. National Institute of Standards and Technology — NIST SP 800–53 ​

4. Shared Assessments Group — Standardized Information Gathering Questionnaire (SIG)

5. Vendor Security Alliance — VSA Questionnaire (VSAQ) 

Want to receive the latest expert insights, tips and news from the 6clicks leadership?

Subscribe to the monthly 6clicks Newsletter HERE.

Center for Internet Security — CIS Critical Security Controls

The Center for Internet Security (CIS) is a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats. They want to help the wider community tackle issues of internet security, with the appropriate priorities and understanding of industry best-practices to back them up.​

What is the questionnaire?

The Center for Internet Security provides 20 controls, that provides a framework for how to address critical security systems and the flow of data when fighting off cybersecurity threats. Because the CIS controls stem from a deep understanding of the cyber-attackers lifecycle, they cover the most common manifestations of these threats and how to adjust defensive action and processes accordingly. It provides a strong baseline for how to proceed in times of need, but also removes the reliance of any single individual in the risk-remediation process.

The CIS Controls contain over 150 questions mapped to incorporate a number of widely-recognised cybersecurity standards and regulatory frameworks, including NIST 800–53, ISO 27000, PCI DSS, COBIT.​

Cloud Security Alliance — Consensus Assessments Initiative Questionnaire (CAIQ) 


The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to ensure a secure cloud computing environment and to promote the secure adoption of cloud computing.

What is the questionnaire?

The Consensus Assessments Initiative Questionnaire (CAIQ) is a survey provided by the CSA for cloud consumers and auditors to assess the security capabilities of a cloud service provider. The questionnaire gives customers of cloud services greater transparency regarding information from their cloud service providers. Particularly, how these technologies and tactics are being implemented, data protection and risk management focuses, as well as their implementation plans.

CAIQ questionnaires can be adjusted for the needs of each individual user, and is intended to be used with CSA Guidance and Cloud Controls Matrix (CCM). CAIQ consists of a series of Yes/No questions that distill issues, best practices and control specifications from CSA Guidance and CCM. CAIQ aims to create common industry standards to document security controls in infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and software-as-a service (SaaS) operations. The current version of the CAIQ boasts nearly 300 different questions across numerous risk domains.

National Institute of Standards and Technology NIST SP 800–53 

The National Institute of Standards and Technology applies practical cybersecurity and privacy expertise through outreach and the implementation of standards and best practices, to adapt to the latest changes in the world of technology.

What is the questionnaire?

NIST Special Publication 800-53 is a set of standards and guidelines to help federal agencies and contractors meet the requirements set by the Federal Information Security Management Act (FISMA). The objective of NIST SP 800-53 is to provide a holistic approach to information security and risk management by providing organisations with the breadth and depth of security controls necessary to fundamentally strengthen their information systems and the environments in which those systems operate—contributing to systems that are more resilient in the face of cyber attacks and other threats. 

The NIST catalogue of controls support the development of secure and resilient federal information systems. These controls are the operational, technical, and management safeguards used by information systems to maintain the integrity, confidentiality, and security of federal information systems. 

Shared Assessments Group — Standardized Information Gathering Questionnaire (SIG Core/SIG-Lite)

The Shared Assessments Program is the trusted source for third party risk management’. They offer extensive resourcestools and best practices to effectively manage the critical elements of the vendor risk management lifecycle.  


What is the questionnaire?

The SIG questionnaire by the Shared Assessments Groups is a holistic tool for risk management assessments of cybersecurity, IT, privacy, data security and business resiliency in an information technology environment.  

SIG Lite (almost 200 questions) provides a ‘broad but high-level understanding about an Assessee’s internal information security controls.’ This is best for parties that only require a basic level of due diligence, or as an initial benchmark before engaging a more in-depth assessment. 

On the other hand, SIG Core (over 1200 questions) is a more comprehensive assessment designed to assess service providers that store and/or manage highly sensitive data. This is meant to provide a greater understanding of how data is treated and secured end-to-end by a service provider. Core is also mapped to a number of other recognised cybersecurity standards and meets the needs of almost all these assessments. 

Vendor Security Alliance — VSA Questionnaire (VSAQ) 


The Vendor Security Alliance (VSA) is a not-for-profit committed to improving general Internet security and common vendor-related cybersecurity practices. They recognise the importance of community and the need for widespread awareness in fighting these ever-changing digital threats.

What is the questionnaire?

The Vendor Security Alliance Questionnaire (VSAQ) was first created by a coalition of companies to monitor supplier security practices. Now, the VSAQ is recognised as an industry-leading resource for evaluating third-party cybersecurity and streamlining vendor security compliance. The questionnaire has been expanded to seven different sections to accommodate the potential sources of vendor risk, such as:

– Data protection and access controls

– Security policies and procedures

– Proactive security measures

– Reactive security measures

– Software supply chain management

– Customer-facing application security

– Compliance

Choosing the right questionnaire for your TPRM program

The problem generally isn’t that we don’t have the capabilities to fight these incidents, but it’s that we are crippled by how much we need to manage to remain secure. As such, it is crucial that you choose the right assessment tool for your organisation’s TPRM program.  

Having said that, security questionnaires continue to improve and become more readily available, so you shouldn’t worry about feeling ‘locked in’ with whichever one you choose. In fact, most of the questionnaires identified in this post are regularly reviewed and updated by experts in the fields of cybersecurity, information security, compliance and risk.  

Once you’ve selected a questionnaire or framework to assess and manage third-party risk, 6clicks can help you implement it for maximum success.  

The power of 6clicks for the modern enterprise

The 6clicks platform offers users fully licensed versions of these vendor security controls, ready for organisations to harness immediately.

With 6clicks, organisations can access, refine and distribute digitised versions of each of these questionnaires, while also leveraging the benefits of integrated risk assessment data. 

Controls can be refined to suit the bespoke requirements of your industry or business but can also be programmed with conditional logic for controls that require it – such as the SIG questionnaires. Each question allows for responses to yes/no and long-form questions, as well as custom response options, where any relevant evidence or documentation can be easily attached. 

When sent, each questionnaire is completed as a digital risk assessment, with a unique URL for each of your third-parties – allowing for data to inform analytics and required compliance remediation.

If you think your team or organisation can benefit from access to 6clicks, click the free sign up button above.

Share on linkedin
Share on twitter
Share on facebook
Share on google
Share on email

Quick Navigation

Related Posts

Scroll to Top

Download the freeHaileyAi Whitepaper

Upgrade your risk management capability with artificial intelligence designed for risk & compliance