Vendor Security Questionnaire
For use when evaluating vendors, suppliers, and service providers with access to your data or systems.
Vendor / Company Name:
Primary Contact Name & Title:
Contact Email & Phone:
Service / Product Provided:
Accesses, stores, or transmits your data?
[ ] Yes [ ] No
Types of data involved:
[ ] PII [ ] Financial [ ] Health/PHI [ ] PCI [ ] Other: _______________
Questionnaire Completed By:
Date Completed:
Instructions for Vendors: Please answer each question honestly. Where a question does not apply to your organization, mark N/A and include a brief explanation in the Notes column. For Yes answers, be prepared to provide supporting documentation (policies, certifications, audit reports) upon request. Return completed questionnaire to chris@ironrootrisk.com.
| 1 — Security Program & Governance | Yes | No | N/A | Notes / Evidence Requested | ||
|---|---|---|---|---|---|---|
| Does your organization have a documented Information Security Policy? | [ ] | [ ] | [ ] | Request a copy or summary. | ||
| Have you conducted a cybersecurity risk assessment within the past 12 months? | [ ] | [ ] | [ ] | Request summary findings or attestation. | ||
| Do you have a named individual responsible for information security? | [ ] | [ ] | [ ] | Name and title. | ||
| Do you carry cyber liability insurance? | [ ] | [ ] | [ ] | Carrier name and coverage amount. | ||
| Do you have a documented Incident Response Plan? | [ ] | [ ] | [ ] | Request a copy or summary. | ||
| Have you experienced a data breach or security incident in the past 3 years? | [ ] | [ ] | [ ] | If yes, describe and explain remediation. | ||
| 2 — Access Controls & Authentication | Yes | No | N/A | Notes / Evidence Requested | ||
|---|---|---|---|---|---|---|
| Is multi-factor authentication (MFA) required for remote access and admin accounts? | [ ] | [ ] | [ ] | Which systems require MFA? | ||
| Are access rights restricted to the minimum necessary (least privilege)? | [ ] | [ ] | [ ] | Describe access control model. | ||
| Is access reviewed and revoked promptly when employees leave? | [ ] | [ ] | [ ] | Describe offboarding process. | ||
| Are privileged accounts (admin/root) separate from standard user accounts? | [ ] | [ ] | [ ] | How many privileged accounts exist? | ||
| Are background checks conducted on employees with access to client data? | [ ] | [ ] | [ ] | Frequency and scope. | ||
| 3 — Data Protection & Privacy | Yes | No | N/A | Notes / Evidence Requested | ||
|---|---|---|---|---|---|---|
| Is data encrypted at rest (stored) and in transit (transmitted)? | [ ] | [ ] | [ ] | Standards used (AES-256, TLS 1.2+)? | ||
| Do you have a documented data classification and handling policy? | [ ] | [ ] | [ ] | Request policy or summary. | ||
| Are backups of client data encrypted and stored securely off-site? | [ ] | [ ] | [ ] | Backup frequency and retention period. | ||
| Do you have a formal data retention and secure disposal policy? | [ ] | [ ] | [ ] | How is data deleted at end of relationship? | ||
| Are your systems and staff compliant with applicable privacy laws (GDPR, CCPA, HIPAA)? | [ ] | [ ] | [ ] | Which laws apply? Documentation available? | ||
| Will you notify us within 72 hours of a breach affecting our data? | [ ] | [ ] | [ ] | Reference your incident notification SLA. | ||
| 4 — Network & Endpoint Security | Yes | No | N/A | Notes / Evidence Requested | ||
|---|---|---|---|---|---|---|
| Are systems patched and updated on a regular, documented schedule? | [ ] | [ ] | [ ] | Patch SLA for critical vulnerabilities? | ||
| Is endpoint protection (antivirus/EDR) deployed on all systems accessing client data? | [ ] | [ ] | [ ] | Solution name. | ||
| Are vulnerability scans or penetration tests conducted at least annually? | [ ] | [ ] | [ ] | Most recent test date and findings summary. | ||
| Is your network segmented to limit access to sensitive data? | [ ] | [ ] | [ ] | Describe segmentation approach. | ||
| Are remote access sessions encrypted and logged? | [ ] | [ ] | [ ] | VPN / Zero Trust solution in use? | ||
| 5 — Third Parties, Subcontractors & Certifications | Yes | No | N/A | Notes / Evidence Requested | ||
|---|---|---|---|---|---|---|
| Do you use subcontractors or sub-processors who will access our data? | [ ] | [ ] | [ ] | List all subcontractors with data access. | ||
| Are your subcontractors subject to the same security requirements as your organization? | [ ] | [ ] | [ ] | How is compliance verified? | ||
| Do you have a SOC 2 Type II report, ISO 27001 certification, or equivalent? | [ ] | [ ] | [ ] | Provide most recent report / certificate. | ||
| Have you undergone a third-party security audit in the past 24 months? | [ ] | [ ] | [ ] | Auditor name and date. | ||
| Are all employees who handle client data security awareness trained annually? | [ ] | [ ] | [ ] | Training program and frequency. | ||
Reviewer Notes & Risk Decision
Overall Assessment:
[ ] Approved [ ] Approved with Conditions [ ] Rejected [ ] Pending Follow-Up
Key Concerns Identified:
Follow-Up Items Required:
Risk Tier Assigned:
[ ] Low [ ] Medium [ ] High [ ] Critical
Reviewed By:
Review Date:
Next Review Date:
Need help evaluating vendor responses?
IronRoot Risk Consultants can review completed questionnaires, score vendor risk, and recommend contract terms to protect your business.
chris@ironrootrisk.com | ironrootrisk.com