If you’re new to vendor risk assessments, this article includes a real-life example of service provider risk assessment, helping you understand their structure and the details they entail.
Learn how UpGuard streamlines vendor risk assessments >
Risk Assessments vs. Security Questionnaires in Third-Party Cybersecurity
In the context of cybersecurity, a risk assessment is an in-depth study of a vendor’s security and regulatory compliance risks.
Security questionnaires form part of a risk assessment. They’re commonly used to discover cybersecurity risks related to alignment gaps between security frameworks and regulations. Security questionnaires are included amongst other third-party security risk discovery methods, collectively representing a vendor’s complete risk exposure.
Risk assessments, and therefore, security questionnaires, fall under the umbrella of Vendor Risk Management, a cybersecurity program focused on discovering and mitigating all third-party security risks throughout each vendor lifecycle.
A critical step preceding the implementation of a vendor risk assessment process is vendor due diligence, where the potential risks of new vendor relationships are analyzed at a high level to understand their potential impact on your security posture. Besides helping you understand which potential vendors should be avoided because the risk of ensuing third-party data breaches is too high, due diligence also differentiates vendors requiring access to sensitive information, such as customer data.
Related: Creating a Vendor Risk Assessment Framework (6-Step Guide)
Vendor Due Diligence is a critical phase of onboarding as it flags high-risk vendors requiring access to sensiitve data to support your business operations.
Vendors processing your sensitive data will require higher levels of security measures. To easily differentiate them, such vendors are usually flagged as high-risk and assigned to the most critical tier of a Vendor Risk Management program. The third-party vendor risk data collected for high-risk vendors during due diligence will then form the basis of their initial risk assessments.
For low-risk vendors, regular review of their automated attack surface scanning results and security pages will likely be sufficient as an ongoing assessment strategy.
Critical vendors (those processing your sensiitve data) will require the most comprehensive level of risk assessment - one involving security questionnaires. Once completed, a risk assessment outlines the requirements of a risk management strategy for that vendor. These initial point-in-time assessments could also be shared with stakeholders to offer visibility into your Third-Party Risk Management efforts.
Initial point-in-time risk assessments are an excellent resource for stakeholders involved in designing your Vendor Risk Management processes.
Related: A 4-Stage Vendor Risk Management Framework
To provide further clarity on the processes involved in due diligence and how they fit into the vendor onboarding workflow, watch this video.
Learn about UpGuard's Vendor Risk Assessment Product Features >
Example of a Vendor Risk Assessment
The vendor risk assessment workflow on the UpGuard platform will be used to illustrate the structure of risk third-party risk assessments. The steps in this workflow could be used as a reference for your own vendor risk assessment template.
This vendor risk assessment template is divided into two components - Evidence Selection and Risk Management.
Evidence Selection
The Evidence Selection portion aggregates data from multiple sources to establish a vendor’s risk profile. Due diligence processes are included in this phase of an assessment.
This particular risk assessment template offers five categories of data sources to form the basis for an initial risk assessment.
1. Automated Scanning Results
A list of security risks and vulnerabilities discovered through automated non-invasive scans of the vendor’s external attack surface.
Related: Choosing an External Attack Surface Management Tool
2. Risk Modifications
Information provided by the vendor about compensating security controls reducing the severity of security risks discovered through questionnaires.
3. Security Questionnaires
A list of security questionnaires used to uncover deeper security risk insights not discoverable through superficial attack surface scans.
Your chosen set of security questionnaires will depend on the different risk categories each unique business relationship will likely be exposed to. Some potential types of vendor risks worth considering when deciding which set of vendor risk assessment questionnaires to include are outlined below.
- Supply chain risks - Vulnerabilities in the vendor’s supply chain increasing the vendor’s risk of suffering a security breach. Third-party relationships susceptible to supply chain risks would benefit from aligning with cyber frameworks, including Supply Chain Risk Management standards, such as NIST CSF version 2 - an effort that could be tracked with a NIST CSF questionnaire.
- Business continuity risks - Threats to the ongoing operations that could disrupt core business functions
- Information security risks - Exposures forming attack vectors facilitating data breaches and malware injections, such as misconfigured elastic search servers.
- Operational risks - Issues in day-to-day operations potentially causing significant disruptions impacting organizational cyber threat resilience.
- Reputational risks - Potential damage to the organization’s public image, especially as a result of poor cybersecurity practices.
- Financial risks - Risks of financial loss due to poor operational efficiency and cyber threats, an impact that could be determined with Cyber Risk Quantification.
- Disaster recovery risks - Risks associated with resuming critical business operations, usually due to insufficient Disaster Recovery Plans.
Using questionnaires to regularly track the risk of supply chain cyber attacks could have the added benefit of streamlining procurement processes, improving the overall efficiency of your onboarding workflow
Your choice of questionnaires is also influenced by the metrics governing your cybersecurity program's success, which likely map to industry standards and regulations impacting your business operations.
In this example, the vendor is being assessed for its degree of alignment with the cybersecurity framework ISO 27001 and the strength of its web application security controls.
4. Additional Evidence
The additional evidence section pulls data from any additional relevant security resources to form the most comprehensive representation of a vendor's risk profile.
Some common examples of additional evidence resources include:
- Cybersecurity audits
- Certifications
- A vendor’s public-facing web page showcasing their security or compliance-related documentation.
5. Trust and Security Pages
This evidence collection source pulls data from a vendor’s Trust and Security page, if one is available. Trust and Security pages overview the objectives and risk management efforts of a vendor’s cybersecurity program. With sufficient information, a Trust and Security page could significantly reduce the complexity of security questionnaires in an initial risk assessment.
Risk Management
The final component of this risk assessment template is the risk management phase. This is where all risks detected from the evidence-collection phase are assigned a severity rating and ranked from most critical to least critical.
Since initial risk assessments could serve as an action plan for managing the new vendor’s risk profile, every listed risk should be accompanied by a field outlining a corresponding risk treatment plan. These short notes will streamline decisions about whether the vendor is woth onboarding after the risk assessment is completed.
All risk treatment plans should consider whether the resource investment required to suppress a risk below the company’s risk appetite is worthwhile.
Examples of security questionnaires used in risk assessments
A security questionnaire is differentiated by the specific industry standards and regulatory requirements it maps to. Depending on the level of security detail covered in a specific standard, a questionnaire could be relatively concise or lengthy.
Here’s a snapshot of a SP NIST-800 Rev 4 questionnaire from the UpGuard platform, consisting of 5 primary sections and 138 subsections.
To learn more about the information commonly included in such a questionnaire, refer to this NIST 800-53 template.
Here’s another example of an in-depth questionnaire mapping to the standards of ISO 27001.
To learn more about the information commonly included in such a questionnaire, refer to this ISO 27001 questionnaire template.
Here’s a snapshot of a questionnaire mapping to the standards of SIG Lite, a questionnaire used to produce a broad representation of a vendor’s internal information security controls.
Other types of questionnaires include:
- GDPR Questionnaire - To uncover data security risks and data privacy risks related to the General Data Protection Regulation, an effort that could help establish advanced compliance strategies.
- HIPAA Questionnaire - Used by healthcare entities to uncover outsourcing risks pertaining to the Health Insurance Portability and Accountability Act.
- NIST CSF Questionnaire - For evaluating alignment against the stabdards of the NIST Cybersecurity Framework.
For a complete list of questionnaires commonly used in risk assessments, refer to this list of questionnaires available on the UpGuard platform.
Automate your vendor risk assessment processes in 2024
By integrating artificial intelligence into processes that commonly cause bottlenecks in risk assessment, UpGuard’s AI Toolkit supports faster assessment completions and is a scalable vendor risk assessment program.
Watch this video for an overview of UpGuard’s AI Toolkit.
