Vendor Risk Assessment Questionnaire Template

In May 2024, UnitedHealth Group chief executive Andrew Witty told the Senate Finance Committee that the February ransomware attack on its Change Healthcare unit started with stolen credentials on a Citrix remote-access portal that had no multi-factor authentication. One unasked, unverified control question.

The result: roughly 190 million Americans’ records exposed — the largest healthcare data breach in US history per HHS — a $22 million ransom paid, and provider claims processing disrupted at an estimated $100 million a day.

What You Need to Know About the Vendor Risk Assessment Questionnaire
Use the 40-question vendor risk assessment questionnaire template in this article as-is: it covers governance, data protection, access control, infrastructure, incident response, continuity, compliance, and financial health.
Score every response on a 1-5 scale, weight data protection at 20% and the other domains at 5-15%, and set 3.0 as your remediation threshold — the worked example shows how the vendor risk assessment questionnaire produces a defensible score.
Tier your vendors first when you deploy the vendor risk assessment questionnaire: critical vendors get all 40 questions plus evidence requests annually; low-risk vendors get a 6-question self-attestation every three years.
In any vendor risk assessment questionnaire, demand evidence, not attestations — a “yes” to the MFA question without a configuration screenshot or SOC 2 mapping is the exact gap that produced the 190-million-record Change Healthcare breach.
Map your vendor risk assessment questionnaire to the regulations that bind you: HIPAA business associate rules, the FTC Safeguards Rule, the 2023 Interagency Guidance for banks, NYDFS Part 500, and DORA for EU financial exposure.
Pair the vendor risk assessment questionnaire with continuous monitoring and key risk indicators — point-in-time answers decay, and 48% of breaches now involve a third party.

A vendor risk assessment questionnaire exists to surface exactly that gap before you sign.

This article gives you a complete vendor risk assessment questionnaire template — 40 questions across eight domains, each with strong-answer signals and red flags — plus the scoring model, tiering rules, and regulatory mapping that turn responses into decisions.

Everything sits inside your broader third-party risk management framework, so the vendor risk assessment questionnaire outputs feed your risk register, contracts, and board reporting rather than a filing cabinet.

Copy the tables, adapt the questions to your data and sector, and you have a working vendor risk assessment questionnaire ready to use today. The stakes are not theoretical: Verizon’s 2026 Data Breach Investigations Report found that 48% of breaches now involve a third party, up 60% in a single year.

Why Your Vendor Risk Assessment Questionnaire Matters in 2026

Three numbers define the 2026 third-party threat picture. The Verizon DBIR put third-party involvement in breaches at 15% in 2024, 30% in 2025, and 48% in 2026 — a structural shift, not a blip, and consistent with the supply chain share of breaches tracked in our risk security management guide.

IBM’s Cost of a Data Breach Report consistently finds supply chain compromises among the costliest and slowest breaches to contain. A well-built vendor risk assessment questionnaire targets exactly this attack pattern, which is repetitive: stolen vendor credentials, a missing control the customer never verified, lateral movement, extortion.

The vendor risk assessment questionnaire is the cheapest control you have against that pattern — provided it asks evidence-based questions and someone acts on the answers.

Third-party involvement in breaches tripled across three Verizon DBIR cycles: 15% (2024), 30% (2025), 48% (2026). Source: Verizon Data Breach Investigations Reports.

A vendor risk assessment questionnaire on its own is still point-in-time evidence. Treat it as the assessment stage of the vendor risk management lifecycle — identification, due diligence, contracting, monitoring, and offboarding — not the whole program.

The sections below give you the vendor risk assessment questionnaire itself; the scoring and tiering sections give you the operating model around it.

The Vendor Risk Assessment Questionnaire: 40 Questions Across 8 Domains

This vendor risk assessment questionnaire draws on the structures used by CISA’s vendor supply chain risk management template, the NIST Cybersecurity Framework, and the standard industry questionnaires covered later in this article.

Every question pairs with the evidence you should request — never accept an unsupported “yes.” Score each vendor risk assessment questionnaire answer 1 (critical gap) to 5 (strong, evidenced), and record results in your risk register.

Domain 1: Governance and Security Program (Weight: 10%)

Question	What a Strong Answer Looks Like	Red Flag
1. Who owns information security, and where do they report?	Named CISO or security lead reporting to the CEO, COO, or board	Security owned by IT operations with no executive reporting line
2. Are security policies documented, approved, and reviewed at least annually?	Policy register with owner, approval date, and review cadence	Policies “in progress” or last reviewed more than 2 years ago
3. Do you carry cyber liability insurance, and at what limits?	Current certificate of insurance; limits proportionate to data volume	No cover, lapsed cover, or refusal to disclose limits
4. How often do staff complete security awareness training?	At hire and at least annually, with tracked completion above 95%	Ad hoc training with no completion records
5. Has leadership run a cyber crisis exercise in the past 12 months?	Dated tabletop exercise with documented lessons learned	Never exercised, or exercises exclude executives

Domain 2: Data Protection and Privacy (Weight: 20%)

Question	What a Strong Answer Looks Like	Red Flag
6. What categories of our data will you access, store, or process, and in which countries?	Explicit data inventory with named hosting jurisdictions	Cannot enumerate data types or storage locations
7. Is data encrypted at rest (AES-256) and in transit (TLS 1.2 or higher)?	Named algorithms and key management process; evidence in SOC 2 or config extract	Partial encryption, legacy protocols, or “industry standard” with no detail
8. How is our data segregated from other customers’ data?	Logical or physical tenancy isolation, described and tested	Shared databases with no documented isolation controls
9. What happens to our data at contract termination?	Contractual return-and-destroy clause with certificate of destruction	No retention schedule; data deleted “eventually”
10. Who handles privacy obligations and data subject requests?	Named privacy officer; documented DSAR process and timelines	No privacy owner; requests handled case by case

Domain 3: Access Control and Identity (Weight: 15%)

Question	What a Strong Answer Looks Like	Red Flag
11. Is MFA enforced on all remote access and privileged accounts, with zero exceptions?	MFA policy plus configuration evidence covering every external entry point	Exceptions for “legacy systems” — the exact gap behind Change Healthcare
12. How are access rights provisioned, reviewed, and revoked?	Joiner-mover-leaver process; quarterly privileged-access reviews; same-day revocation	Annual or undocumented reviews; orphan accounts found in audits
13. Do you enforce least privilege on production systems?	Role-based access with documented business-need approvals	Broad admin rights; developers with standing production access
14. How are privileged credentials stored and rotated?	Enterprise vault, rotation policy, session recording for admins	Shared admin passwords or credentials in spreadsheets
15. How is remote access to your network secured?	VPN or ZTNA with device checks and MFA, centrally logged	Exposed RDP, unmanaged BYOD, or no remote access inventory

Domain 4: Infrastructure and Application Security (Weight: part of 20% technical block)

Question	What a Strong Answer Looks Like	Red Flag
16. What are your patching SLAs by severity?	Criticals within 72 hours to 7 days, tracked and reported	No SLA; patching “as resources allow”
17. Do you commission independent penetration tests at least annually?	Annual third-party test; executive summary shared under NDA	Internal scans only, or refusal to share any summary
18. How are vulnerabilities discovered and remediated?	Continuous scanning; criticals remediated within defined windows; metrics reported	Periodic manual scans with no remediation tracking
19. Describe your secure development lifecycle.	Code review, dependency scanning, secrets detection in CI/CD	No SDLC controls for software touching customer data
20. What hardening baselines apply to your hosting environment?	CIS Benchmarks or equivalent, with configuration drift monitoring	No named baseline; unknown cloud configuration posture

Domain 5: Incident Response and Breach Notification (Weight: 15%)

Question	What a Strong Answer Looks Like	Red Flag
21. Do you have a documented, tested incident response plan?	IR plan with roles, runbooks, and a test within the last 12 months	Plan exists but never exercised
22. What breach notification window will you commit to contractually?	24-72 hours for incidents affecting customer data, in the contract	Statutory minimum only, or “as soon as practicable”
23. Any security incidents in the past 36 months? Describe scope and fixes.	Transparent disclosure with root cause and completed remediation	Claims of zero incidents with no detection capability to back it
24. Do you retain a forensics or incident response firm?	Named IR retainer and engagement process	No retainer; response improvised during a crisis
25. How will you communicate with us during an incident?	Named contacts, escalation matrix, agreed update cadence	Generic support channel as the only route

Domain 6: Business Continuity and Resilience (Weight: 15%)

Question	What a Strong Answer Looks Like	Red Flag
26. Do you maintain tested business continuity and disaster recovery plans?	ISO 22301-aligned BCP/DRP; exercise results within 12 months	Untested plans, or DR assumed because “we are in the cloud”
27. What RTO and RPO apply to the service you provide us?	Stated RTO/RPO matching our maximum tolerable downtime	No defined recovery objectives for customer-facing services
28. What was your actual uptime over the past 24 months versus SLA?	Measured uptime history with incident annotations	No availability records, or SLA credits routinely triggered
29. Do you depend on a single data center, region, or upstream provider?	Documented redundancy; concentration risks disclosed	Single points of failure with no mitigation
30. How would you keep serving us during a ransomware event?	Immutable backups, segmented recovery environment, tested restore times	Backups on the same network as production

Domain 7: Compliance, Certifications, and Subcontractors (Weight: 15% + 5%)

Question	What a Strong Answer Looks Like	Red Flag
31. Which attestations do you hold (SOC 2 Type II, ISO 27001, PCI DSS, HITRUST)?	Current reports provided under NDA; scope covers the services we buy	Expired certificates, Type I only, or scope excluding our service
32. Which regulations bind you for our engagement (HIPAA, GLBA, NYDFS 500, DORA)?	Regulation-by-regulation evidence: BAA readiness, filings, registers	Unaware of applicable regimes
33. Which subcontractors (fourth parties) deliver parts of our service?	Critical subcontractor list with locations and functions	Refusal to disclose, or no subcontractor inventory
34. Are subcontractors bound to equivalent security obligations?	Flow-down clauses plus a vetting program for their own vendors	No flow-down terms; subcontractors never assessed
35. Any regulatory findings, enforcement actions, or audit qualifications in 3 years?	Clean record, or disclosed findings with completed remediation	Undisclosed enforcement history surfacing in your own research

Domain 8: Financial and Operational Health (Weight: 5%)

Question	What a Strong Answer Looks Like	Red Flag
36. Provide evidence of financial stability.	Audited financials, credit rating, or banker references	Refusal plus market signals of distress
37. Does any single customer exceed 25% of your revenue?	Diversified customer base, or concentration disclosed and bonded	Existential dependence on one or two accounts
38. Any pending litigation or M&A that could affect service delivery?	Disclosure with continuity commitments in the contract	Material events discovered only through news searches
39. What key-person dependencies exist for our services?	Documented succession and cross-training for critical roles	Single engineer holding all institutional knowledge
40. What insurance do you carry beyond cyber (E&O, general liability)?	Certificates with adequate limits and your firm as notice party	Minimal cover relative to engagement value

 

Adapt the emphasis to the engagement: a payroll processor warrants deeper information security risk assessment questions; a facilities vendor warrants more continuity and insurance scrutiny. The eight-domain skeleton of the vendor risk assessment questionnaire holds across vendor types.

Scoring the Vendor Risk Assessment Questionnaire: A Worked Example

Most vendor risk assessment questionnaire responses die unscored — collected, filed, ignored. The fix is a simple weighted model consistent with your wider risk assessment methodology and with the supply chain risk practices in NIST SP 800-161.

Score each question 1-5, average within each domain, then weight the domains by what would actually hurt you. Suggested weights:

Suggested vendor risk assessment questionnaire scoring weights. Data protection carries 20% because data loss is the dominant third-party loss scenario; adjust weights to your own risk profile.

Assumptions for the worked example: a Tier 1 SaaS vendor processing customer PII, scored by a security analyst and verified against a SOC 2 Type II report. The vendor’s domain averages came out as follows:

Domain	Weight	Domain Score (1-5)	Weighted Contribution
Data protection & privacy	20%	3.2	0.64
Access control & identity	15%	2.4	0.36
Incident response	15%	4.0	0.60
Business continuity	15%	3.5	0.53
Compliance & certifications	15%	4.5	0.68
Governance & security program	10%	4.0	0.40
Subcontractors	5%	2.0	0.10
Financial health	5%	4.5	0.23
Weighted total	100%	—	3.53 / 5.00

 

The worked example vendor passes overall (3.53) but fails the 3.0 remediation threshold in two domains: access control (2.4) and subcontractor management (2.0).

Decision rule: overall score above 3.5 with no domain below 3.0 means approve; overall above 3.0 with isolated domain failures means conditional approval with time-bound remediation; anything lower goes back to procurement.

Here, the vendor gets conditional approval: MFA gaps closed within 60 days and a subcontractor register delivered within 90, both written into the contract and tracked like any other entry in your risk management process. State the assumptions, keep the arithmetic visible, and the same vendor risk assessment questionnaire becomes defensible evidence for auditors and regulators.

Vendor Tiering: Match Questionnaire Depth to Risk

Sending 40 questions to your stationery supplier wastes everyone’s time and trains the business to bypass security.

Tier vendors by data sensitivity and operational criticality — the same logic regulators applied in the 2023 Interagency Guidance on Third-Party Relationships (Federal Reserve SR 23-4, with the OCC and FDIC), which expects risk-based due diligence proportionate to the relationship.

A four-tier model works for most organizations and slots into the third-party risk management lifecycle cleanly:

Tier	Criteria	Questionnaire Scope	Evidence Required	Reassessment
Tier 1 — Critical	Sensitive data access AND critical to operations	All 40 questions	SOC 2 Type II / ISO 27001 cert, pen test summary, BCP test results	Annual + continuous monitoring
Tier 2 — High	Sensitive data access OR operationally important	~25 questions (drop financial depth, keep all security domains)	Attestation reports; targeted evidence on red flags	Annual
Tier 3 — Moderate	Limited data access, replaceable service	~12 questions (governance, data, access, incident basics)	Self-attestation plus insurance certificates	Every 24 months
Tier 4 — Low	No data access, commodity service	6-question self-attestation	None beyond contract terms	Every 36 months

 

Questionnaire depth and reassessment cadence by vendor tier. Tier 1 vendors answer the full vendor risk assessment questionnaire annually; Tier 4 vendors self-attest every three years.

Tiering is also where fourth-party risk becomes visible: a Tier 3 vendor whose own critical subcontractor holds your data is really a Tier 1 relationship wearing a disguise. Question 33 exists to catch that, and your risk identification tools should treat undisclosed subcontracting as a standing risk.

SIG, CAIQ, NIST, or Custom: Choosing a Questionnaire Standard

You do not have to build from scratch. Industry-standard vendor risk assessment questionnaire instruments trade customization for vendor familiarity — vendors answer SIG and CAIQ constantly, so responses arrive faster and pre-filled. The main options:

Standard	Publisher	Size and Scope	Best For
SIG Core / SIG Lite	Shared Assessments	Core: several hundred questions, 19+ risk domains; Lite: ~125 questions	Regulated industries needing comprehensive, recognized coverage
CAIQ v4	Cloud Security Alliance	~260 questions mapped to the Cloud Controls Matrix	Cloud and SaaS vendors specifically
NIST-derived custom	NIST CSF 2.0 / SP 800-161	You control length; mapped to CSF functions	Organizations already running NIST-aligned programs
CISA SCRM template	CISA ICT SCRM Task Force	Supply-chain focused; free	Hardware, software, and ICT supply chain vendors
This template (40 questions)	riskpublishing.com	8 domains, evidence-based, scoring built in	Mid-market programs needing speed plus rigor

 

Practical rule: adopt SIG Lite or this 40-question vendor risk assessment questionnaire as your Tier 2 default, escalate to SIG Core or a full custom instrument for Tier 1, and accept a current SOC 2 Type II report in lieu of duplicate questions where scope matches.

Whatever you choose, anchor question selection to the types of risk assessment your program actually runs — security, privacy, continuity, financial — so the vendor risk assessment questionnaire feeds real analyses instead of sitting parallel to them.

Regulatory Requirements Driving Vendor Questionnaires

For regulated entities, the vendor risk assessment questionnaire is not optional hygiene — it is the evidence layer for legal obligations.

The five regimes below cover most US risk teams, and each maps to specific questions in the template:

Regime	Who It Binds	What It Requires of Vendor Assessment	Template Questions
HIPAA	Healthcare covered entities and business associates	Written BAAs; reasonable assurance of safeguards before sharing PHI	Q6-10, Q22, Q31-32
FTC Safeguards Rule	Non-bank financial institutions (GLBA)	Select service providers capable of maintaining safeguards; oversee them contractually	Q1-5, Q11-15, Q34
Interagency Guidance (SR 23-4)	US banking organizations	Risk-based due diligence across the third-party lifecycle, including subcontractors	Full template, tiered
NYDFS Part 500	NY-licensed financial services firms	Written third-party service provider security policy (§500.11), incl. MFA and encryption expectations	Q7, Q11, Q21-25
DORA	EU financial entities (and their ICT providers)	Register of ICT third parties; contractual provisions; exit strategies — in force since January 2025	Q26-30, Q33-35

 

Two implementation notes. First, alignment with ISO 31000, COSO ERM principles, and your enterprise risk management framework matters more than regulator-by-regulator checklists — assess once against the strictest applicable standard, then map evidence outward.

Second, document the vendor risk assessment questionnaire linkage: examiners increasingly ask not “do you send questionnaires” but “show me how a bad answer changed a contract.”

From Questionnaire Responses to Risk Treatment

The vendor risk assessment questionnaire earns its cost only when answers trigger actions — risk identification without treatment fails the basic components of risk management test.

Route every scored response into one of five outcomes, and log each in the register with an owner and date — the same discipline you would apply to any risk statement:

Response Pattern	Action	Where It Lands
Strong answers, evidence provided	Approve; set reassessment date by tier	Vendor inventory
Gaps in non-critical domains	Conditional approval; remediation plan with deadlines	Risk register + contract schedule
Gaps in critical domains (MFA, encryption, IR)	Hold onboarding until evidenced fixes land	Procurement gate
Refusal to answer or provide evidence	Escalate to risk committee; consider alternatives	Exception register with expiry
Material misrepresentation discovered later	Contract remedies; immediate reassessment; exit planning	Incident and legal tracks

 

Then close the loop with monitoring. Point-in-time answers decay — the vendor that passed in January reorganizes its security team in June.

Track third-party key risk indicators between assessment cycles: security rating drops, breach disclosures, attestation expiries, financial distress signals, and SLA breaches.

The NIST Cybersecurity Framework treats supply chain risk as a continuous govern-function activity for exactly this reason. A vendor risk assessment questionnaire plus KRIs plus contractual teeth is a program; the questionnaire alone is a souvenir.

Frequently Asked Questions

What is a vendor risk assessment questionnaire?

A vendor risk assessment questionnaire is a structured set of questions an organization sends to current or prospective third parties to evaluate their security controls, data handling, compliance posture, continuity arrangements, and financial stability.

Responses are scored, verified against evidence such as SOC 2 reports, and used to approve, condition, or reject the relationship. The vendor risk assessment questionnaire is the due diligence instrument inside a broader third-party risk management program, not a substitute for one.

How many questions should a vendor risk assessment questionnaire have?

Scale to vendor tier. Critical vendors handling sensitive data justify the full 40 questions in this vendor risk assessment questionnaire — or several hundred via SIG Core for heavily regulated relationships. Mid-tier vendors warrant 12-25 targeted questions, and commodity suppliers a 6-question self-attestation.

Length is not rigor in a vendor risk assessment questionnaire: an evidence-backed 40-question instrument beats a 300-question checkbox exercise that nobody scores or verifies.

Should I use SIG, CAIQ, or a custom vendor risk assessment questionnaire?

Use SIG (Shared Assessments) when you need broad, industry-recognized coverage that vendors can answer quickly from pre-filled libraries.

Use CAIQ when assessing cloud and SaaS providers, since it maps to the Cloud Controls Matrix.

Build custom — or adapt the vendor risk assessment questionnaire in this article — when your risk profile, sector regulations, or data flows are unusual enough that standard instruments miss your highest-impact questions.

Many programs blend approaches: SIG Lite as a base plus 10 custom questions.

How often should vendors complete the questionnaire?

Annually for Tier 1 and Tier 2 vendors, every 24 months for Tier 3, and every 36 months for low-risk Tier 4 suppliers — with event-driven reassessment in between.

Trigger an off-cycle questionnaire when a vendor discloses a breach, changes ownership, moves data centers, loses a key certification, or shows financial distress.

Continuous monitoring signals should be able to pull any vendor forward in the queue.

What if a vendor refuses to complete the questionnaire?

First, accept equivalent evidence: a current SOC 2 Type II or ISO 27001 certificate with matching scope answers most security domains, and large vendors often publish trust pages for exactly this purpose.

If the vendor offers neither answers nor attestations, treat the refusal as data — it predicts how they will behave during an incident. Escalate to your risk committee, document the exception with an expiry date, and weigh alternatives before contracting.

How do I score vendor risk assessment questionnaire responses?

Score each question 1-5 based on answer quality and evidence, average scores within each domain, then compute a weighted total using domain weights that reflect your loss scenarios — this article suggests 20% for data protection and 5-15% elsewhere.

Set two thresholds: a minimum overall score (3.5 for approval) and a minimum domain score (3.0), so a vendor cannot mask a critical MFA gap with strong paperwork elsewhere. Document the assumptions; auditors will ask.

Are vendor questionnaires enough on their own?

No. A questionnaire captures one moment, and Verizon’s 2026 DBIR finding that 48% of breaches involve third parties reflects risk that moved between assessment cycles.

Pair point-in-time questionnaires with continuous controls: security ratings or monitoring feeds, contractual breach notification windows, third-party KRIs with thresholds, and tested exit strategies for critical vendors.

The questionnaire sets the baseline; monitoring detects the drift.

Common Pitfalls in Vendor Risk Assessment Questionnaires

Pitfall	Root Cause	Remedy
One-size-fits-all questionnaires	No vendor tiering before assessment	Tier by data sensitivity and criticality; scale 6 to 40 questions accordingly
Questionnaire sent after the contract is signed	Security bolted onto procurement instead of embedded in it	Make a scored questionnaire a procurement gate for Tier 1-2 vendors
Accepting “yes” without evidence	Checkbox culture; assessor lacks time or mandate	Require artifacts for critical controls: SOC 2 mapping, config extracts, test reports
Responses never scored or actioned	No scoring model or decision thresholds	Apply the 1-5 weighted model with approval and remediation thresholds
Fourth parties invisible	Subcontractor questions omitted or unanswered	Make Q33-34 mandatory; require flow-down clauses and subcontractor registers
Questionnaire goes stale	No review owner or cadence	Refresh annually against new threats (AI use, cloud misconfig) and regulations
Remediation promises never tracked	Findings die outside the risk register	Log conditions in the register with owners, deadlines, and evidence of closure

Looking Ahead: Vendor Questionnaires Through 2027

Regulatory pressure keeps rising. DORA has been in force for EU financial entities since January 2025, and its register-of-information and exit-strategy requirements are already reshaping what US vendors get asked by European customers.

US banking examiners are applying the 2023 Interagency Guidance with increasing specificity, and the questionnaire-plus-evidence pattern in this article is the practical answer to both regimes.

AI changes the content of questionnaires before it changes the format. Expect 2026-2027 instruments to add a ninth domain covering vendor AI use: what models process your data, whether your data trains them, what the NIST AI Risk Management Framework calls map-measure-manage controls, and how AI-generated outputs are reviewed. Vendors embedding LLMs into service delivery without disclosure are this cycle’s undisclosed subcontractors.

Automation is compressing the cycle from weeks to days on both sides — AI tools now draft vendor answers and screen them for assessors.

That makes evidence verification the differentiator: anyone can generate fluent “yes” answers, so programs that demand configuration extracts, test reports, and certificates will separate signal from noise.

Expect the point-in-time questionnaire and continuous monitoring feeds to converge into a single vendor risk picture, with the questionnaire setting baselines and live key risk indicators flagging drift between cycles. The 48% third-party breach share in the 2026 DBIR says the work is worth doing properly.

Need help operationalizing this template — tiering your vendor base, building the scoring model, or standing up a full third-party risk program? Explore our advisory services or contact us to discuss your vendor risk assessment program.