Third-Party Risk Questionnaire: A Field Guide (+ Template)

The first time I watched a sales cycle blow up over a third-party risk questionnaire, I thought it was a fluke. The second time, I realized it was Tuesday.

It goes like this. A deal is moving. Security gets a 217-question intake form on a Friday afternoon. Two weeks later, the vendor's responses come back — half of them are vague, the SOC 2 attached is from 2023, and the sub-processor list is missing entirely. The reviewer flags eleven findings. Sales escalate. The deal "is now blocked." Someone schedules a 30-minute call to "align." The questionnaire is approved based on vibes and a SOC 2 cover page. Everyone goes back to their desks pretending that was a real risk decision.

It wasn't. And the part that should bother every security leader: this is the normal version of third-party risk management at most companies. Not the worst version. The normal one.

This guide is the playbook for doing it differently. What to ask. How to scope. Which framework to start from? Where automation actually helps and where it absolutely doesn't. There are two free downloads — a working risk assessment template and a printable vendor evaluation checklist — that make the whole workflow operational on day one. They're linked below. Take them. Modify them. Strip the Cyberbase logo if you want. We don't care.

🎯 Get the Free TPRM Toolkit – Risk Assessment Template (XLSX) — tiering calculator, three-tier-scoped questionnaires, evidence tracker, decision log – Vendor Evaluation Checklist (DOCX) — printable five-stage workflow, signature block, findings log

Download Risk Assessment Template, no email required →

Download Vendor Evaluation Checklist, no email required →

What a third-party risk questionnaire actually is

A third-party risk questionnaire is a structured set of questions a buyer sends to a vendor or potential vendor to evaluate the security, privacy, and operational risk of doing business with them.

That's the textbook definition. The honest one is: it's how you build a defensible answer to the question, if this vendor gets breached, what happens to my company?

Done well, the questionnaire produces three artifacts: a risk picture, an evidence file, and a decision. Done poorly, it produces a 47-tab spreadsheet nobody opens until the auditor asks for it.

You'll hear a few different names for the same thing. Security questionnaire tends to lean technical. A due diligence questionnaire (DDQ) tends to lean toward financial and contractual matters, often used by procurement and legal. The third-party risk questionnaire sits on top and pulls from both. Most mature programs run one combined intake and stop arguing about labels.

The eight categories every TPRM questionnaire needs to cover

You can have an opinion on the question count. You can't really have an opinion on coverage. If your questionnaire skips one of these areas, you don't have a third-party risk questionnaire — you have a checklist with a fancier name.

1. Governance and program maturity. Who owns security at the vendor? Whether they have a written infosec policy approved by a real executive (not "in progress"). A formally appointed CISO or equivalent. A risk register that someone actually looks at. This is where you find out if the company has a security function or just a Slack channel called #security.

2. Information security controls. Encryption at rest and in transit. MFA enforcement. SSO. Least-privilege RBAC. Vulnerability management with severity-based SLAs. SDLC controls, including code review and SAST/SCA. Logging, monitoring, EDR, MDM. The technical meat. About 35–40 questions deep at Tier 1.

3. Data privacy and handling. What data do they touch? Where it lives geographically. Sub-processors that touch it. Retention. Deletion process. GDPR, CCPA/CPRA, HIPAA — whatever applies to your business. If you're a US healthcare buyer and the vendor doesn't know what a BAA is, that's a finding before they finish the sentence.

4. Business continuity and disaster recovery. Tested RTO and RPO. Backup strategy. Last DR exercise and what they actually learned from it. Plenty of vendors will claim 99.99% uptime. Far fewer will hand you the post-mortem on their last real incident. Ask.

5. Sub-processor and fourth-party risk. Who their critical sub-processors are. How do they vet them? Whether they flow down obligations. This is the section most teams are underweight, and it's the one regulators have started weighing heaviest. The DORA framework in the EU and the recent NYDFS Part 500 amendments both put third-party risk on the front page.

6. Compliance and audit posture. SOC 2 Type II. ISO 27001. ISO 27701 if privacy matters. PCI DSS, HITRUST, and FedRAMP, where applicable. Audit dates, qualifications, and exceptions. Don't accept "we're working toward SOC 2" — that's a roadmap, not a control.

7. Incident response. Their IR plan. Tabletop frequency. Notification SLAs in writing (because verbal commitments evaporate in a real incident). Number of incidents in the last 24 months and what they disclosed. The vendors who are honest about past incidents are the ones you want.

8. AI and emerging risk. New as of about 18 months ago, mandatory now. Are they using customer data to train or fine-tune models? Whether they offer opt-out. How they handle prompt injection. Model inventory. Most vendors are still figuring this out — but their answers should at least exist.

That's the floor. The Tier 1 questionnaire in our downloadable template covers all eight, plus identity management, physical security, financial stability, and personnel — about 120 questions total.

The questionnaire frameworks worth starting from

You don't have to invent the questionnaire from scratch. There are several well-maintained starting points, and the right one depends on what kind of vendor you're assessing.

SIG (Standardized Information Gathering) from Shared Assessments. Comes in SIG Lite (a few hundred questions, manageable) and SIG Core (over a thousand, brutal). Broad coverage across 19 risk domains. Good fit when your vendor population is mixed: SaaS, MSPs, payroll, marketing tools, professional services, the whole zoo.

CAIQ (Consensus Assessments Initiative Questionnaire) from the Cloud Security Alliance. About 261 questions in the latest revision. Aligned to the Cloud Controls Matrix. If you're vetting a SaaS company, CAIQ is usually the cleaner starting point and produces less friction with the vendor.

NIST SP 800-161 is the supply chain risk management standard. It's a control framework rather than a question set, but if you're a federal contractor or you sell into federal, your questionnaire needs to map to it.

Custom questionnaires. Almost every security team eventually builds a tailored questionnaire that pulls the questions that matter from one of the above and trims the rest. This is fine. The risk is drift. A custom questionnaire that nobody owns ends up with three questions about a 2019 vulnerability scanner and zero questions about AI model training. Review yearly. Mark a calendar invite. Actually do it.

A practical move that works for most mid-market security teams: start from SIG Lite, trim hard, layer in five to ten questions specific to your environment, version-control the result. You'll end up with something around 80–120 questions for Tier 1, and you'll never miss the 873 questions you cut.

Tier vendors before anything else (this is the whole game)

Here's the single biggest mistake in vendor risk assessment, and it's so common it's almost a cliché: sending the same questionnaire to every vendor.

A 300-question SIG fired at a sticker printer who will never touch your data is malpractice. So is a 25-question intake fired at the payroll provider who has every employee SSN you've ever onboarded. Tier first. Then scope.

A workable tiering model:

Tier 1 — Critical. Vendor processes regulated data, has integration into your production environment, holds privileged access, or is a single source for a revenue-critical workflow. Full questionnaire. Annual reassessment. On-site or virtual control review, where feasible. Named risk owner. Continuous monitoring on top.

Tier 2 — Moderate. Vendor handles confidential but non-regulated data. Or has standard-user access to internal systems. Or it could cause meaningful business disruption if down for a week. Scoped questionnaire (~60–120 questions). Reassessment every 18 to 24 months.

Tier 3 — Low. Vendor doesn't touch regulated data. No production access. Easily replaceable. Lightweight questionnaire (~15–25 questions). Reassessment on contract renewal.

Tiering is a judgment call, but it should be a documented one. Run it through a repeatable inherent risk scoring model. Write down the rationale. When a Tier 3 vendor surprises you by becoming Tier 1 — and it will, because usage grows and scope creeps — you'll want the trail.

The Vendor Tiering tab in our template handles this for you. Seven inherent risk factors (data sensitivity, data volume, system access, integration depth, business criticality, regulatory exposure, geographic / sub-processor risk), each scored 1, 3, or 5. The tier is calculated automatically. You write the rationale. The auditor sees a complete record. About six minutes of work.

How to write questionnaire questions that aren't garbage

If you do build custom questions or trim an existing framework, a few opinionated drafting rules will save you from yourself:

Write questions that a non-engineer at the vendor can answer without three follow-up calls. "Do you use MFA?" is bad. "Is multi-factor authentication required for all administrative access to systems holding customer data?" is better. Specific. Bounded. Scorable.

Avoid double-barreled questions. Don't ask "Do you encrypt data at rest and in transit?" as a single yes/no. The vendor will answer yes when only one is true, and you'll miss it.

For each question, decide what answer constitutes a finding before you send the questionnaire. Otherwise, scoring becomes whatever the reviewer felt that week. This is the boring discipline that separates programs that pass an audit from programs that survive a breach.

Demand evidence references. A "yes" with no artifact is a wish.

The vendor side of the table (because they're not the enemy)

Quick reminder for the buyers reading this: the vendor isn't trying to deceive you. They're filling out fourteen of these a quarter. Their security team is small. Their sales team is breathing down their necks. Their answers will reflect that reality unless you make it easy.

A few things that meaningfully help:

Send the questionnaire in the format you expect back. Excel is fine. PDF is hostile. A portal that requires the vendor to create yet another login they'll never use again is worse than a PDF.

Tell them what tier they're being assessed at and why. Most vendors will gladly give you a focused answer if they understand the scope.

Accept their existing artifacts where you can. If they have a SOC 2 Type II covering 80% of your questionnaire, take it. Asking them to retype the same controls into your form is friction without value.

Set a realistic SLA. Two weeks for a Tier 1 questionnaire is aggressive but doable. Five business days is theater.

The flip side, for the vendors reading: the way to win this game is to build a Trust Center that proactively answers the questions before you get them. Make your security documentation, certifications, sub-processor list, and standard answers self-serve. The fastest TPRM cycle is the one where the buyer never has to send a questionnaire at all.

A repeatable vendor risk assessment workflow

Tooling matters less than workflow. The workflow looks roughly like this in every program that actually works.

1. Intake. A new vendor request comes in. Capture vendor name, business purpose, data types, integration scope, and contract value. One screen. Don't make it harder than it needs to be.

2. Tier. Run the inherent risk score and assign Tier 1, 2, or 3. Document the rationale. Lock the tier before sending the questionnaire.

3. Scope and send. Pull the right questionnaire for that tier. Attach the evidence list. Send with a clear SLA and a single point of contact.

4. Review. When responses come back, score against your finding criteria. Don't grade on a curve. A "no" with a strong compensating control is fine. A "yes" with no evidence is a finding.

5. Decide. Three outcomes: approve, approve with conditions (with the conditions written down), or reject. A named risk owner signs the decision. If business pushes back, the path is risk acceptance with executive signoff — not erasing the finding.

6. Document. Save everything. Questionnaire, evidence, scoring, decision, signoff. This is the single most important step for audit defensibility, and it's the one most teams botch.

7. Monitor. Subscribe to breach notifications and sub-processor change feeds for at least your Tier 1 vendors.

8. Reassess. Per the cadence you set at tiering. Schedule it on day one of the relationship so it doesn't slip.

That whole loop is operationalized in the Vendor Evaluation Checklist. Five stages — Intake & Tiering, Security & Privacy Review, Legal & Contract, Risk Decision, Post-Signature & Onboarding — with a signature block at the decision stage and a findings log at the back. Print it. Run it together with procurement and the business owner. The whole thing takes about 30 minutes if everyone shows up prepared.

When to reassess (the question nobody asks until the auditor does)

Reassessment cadence by tier:

• Tier 1 (Critical): annually, at a minimum
• Tier 2 (Moderate): every 18 to 24 months
• Tier 3 (Low): at contract renewal

That's the baseline. Five things should trigger an out-of-cycle reassessment regardless of where you are in the cycle:

• A confirmed breach at the vendor (or one of their sub-processors)
• A material change in vendor ownership or executive leadership
• A material change in the service or scope of access
• An audit finding in your own audits that touches that vendor
• A sub-processor change that materially expands the data flow

Set the next reassessment date to the day the contract is signed. Calendar invite. Owner assigned. If you wait until the renewal cycle to figure it out, you've already missed it.

Where automation actually helps (and where it doesn't)

The TPRM tooling market is loud. Some of it is genuinely useful. Some of it is a CSV importer with a CRM bolted on, charging $80K a year. Honest read on what to automate and what to keep human:

Automate intake. A web form with structured fields beats an email thread every time.

Automate evidence collection where the vendor has a Trust Portal. If their SOC 2, ISO 27001, sub-processor list, and policies are already published, your tooling should pull them automatically and stop asking the vendor to email them over.

Automate first-pass scoring. AI is genuinely good at reading a vendor's response and matching it to your finding criteria. It's not perfect. It shouldn't be the final answer. But it can save a reviewer hours per vendor.

Automate the response side too. If you're a vendor, an AI-native DDQ engine can draft answers to incoming questionnaires from your existing controls and policies in minutes instead of weeks. One of our customers — Augment Code — cut 743 hours out of their contract and questionnaire workload across 155 contracts in a single quarter. Same answers. Same defensibility. Dramatically less typing. ROI worked out to roughly 13 to 1 over the first year, mostly in security and legal hours they didn't have to spend.

Don't automate the risk decision. That belongs to a human risk owner. AI can recommend, summarize, and surface gaps. The accountability sits with a person.

Don't automate vendor relationship management. If you treat your critical vendors as a portal-only relationship, the first time something breaks, you'll wish you'd had a quarterly call.

Common mistakes (a non-exhaustive list)

A few patterns that show up over and over in TPRM programs that aren't working:

Diffuse ownership. "Vendor risk is a team sport" sounds nice and means nothing. Every vendor record needs one named human who signs the decision.

Same questionnaire for every vendor. Already covered. Worth saying twice. Tier first.

Sending the questionnaire before checking the Trust Center. A lot of vendors have already published 80% of what you're about to ask for. Look first.

Accepting evidence you don't actually open. A SOC 2 sitting in a folder is not the same as a SOC 2 reviewed against your controls. The auditor knows the difference.

No documented decision. "We approved them" in a Slack thread is not a record. Use the Risk Decision tab in our template, or your GRC equivalent. Either way, get a signature.

No reassessment cadence. First-pass assessments are not a moat. Vendor posture changes. Sub-processors change. Ownership changes. If you're not reassessing, you're not managing risk — you're remembering a snapshot.

A note on where this is all going

The reason third-party risk has gotten so much louder over the past few years isn't the questionnaires themselves. It's that supply chain attacks, sub-processor breaches, and vendor consolidation risk are now a meaningful share of the enterprise threat model. SolarWinds, MOVEit, the Snowflake customer breaches in 2024, the Change Healthcare incident — every one of them was a third-party event from somebody's perspective.

Regulators have noticed. DORA in the EU. The NYDFS Part 500 amendments. The SEC's incident disclosure rule. The steady drumbeat of state privacy laws. They're converging on the same expectation: you are responsible for the security of the data you hand to your vendors. The questionnaire is just the start of meeting that obligation. The work is in what you do with the answers.

Get the free TPRM toolkit

Two downloads, no email required, both work on day one:

📊 Third-Party Risk Assessment Template (XLSX)

• Vendor Tiering tab with auto-scoring
• Three-tier-scoped questionnaires (Tier 1: 120 questions, Tier 2: 70, Tier 3: 20)
• Evidence Tracker with status dropdowns for 24 standard artifacts
• Risk Decision sheet with auditor-facing fields and signature block
• Conditional formatting that flags findings as you score

Download the Risk Assessment Template →

📋 Vendor Evaluation Checklist (DOCX)

• Five-stage workflow: Intake → Security Review → Legal → Decision → Post-Signature
• Printable, US Letter, branded
• Signature block for the risk owner
• Findings log at the back

Download the Vendor Evaluation Checklist →

Both are free, and both are unbranded enough to use inside your own program. Take them, modify them, send them around your team. If they save you a week, we did the job.

See it run on your own data

If your team is drowning on either side of this — sending questionnaires you can't review fast enough, or answering questionnaires that block your sales cycle — there's a way out that doesn't involve hiring more people.

Cyberbase is built around an AI-native Context Engine that powers three workflows in one workspace:

• DDQ and Security Questionnaire Automation — answer incoming questionnaires from your own controls, policies, and evidence in minutes, not weeks
• Vendor Risk Assessment — send, score, and decide on the buying side, with the same engine helping reviewers
• Trust Center — free forever, self-serve, so buyers can answer most of their own questions before they ever send a questionnaire

One workspace. Three workflows. No per-question pricing.

Open your workspace →

Or book a 20-minute walkthrough →