Due Diligence and Ongoing Monitoring

  • 1.  Vendor Questionnaire Templates

    This message was posted by a user wishing to remain anonymous
    Posted 08-18-2021 04:40 PM
    This message was posted by a user wishing to remain anonymous

    We're establishing our TPRM program and are evaluating questionnaires. While we're leaning towards SIG LIte for our IT vendors and some of our other large vendors, there's a concern that the SIG may be too extensive for some of our more moderately sized vendors. 

    Any suggestions for existing templates which are not quite as expansive?



  • 2.  RE: Vendor Questionnaire Templates

    Posted 08-24-2021 10:07 AM
    It can be tough to establish a mid-level or 'baseline' questionnaire that is suitable for moderate to low-risk vendors. However, your dilemma is very common; the SIG is extensive, and too much for many vendors to entertain. I have always liked having a fairly simple, very high-level questionnaire that can accommodate even the most stubborn vendors, that gives the bare-bones picture of a vendor's inner workings and control environment. This would be one that asks, at a high level, if there are functions/departments/policies in place - such as, "do you have a privacy program? Do you have an information Security policy? Does it include encryption, access management, asset management, physical security, etc.? Do you have a BC/DR plan in place that is tested annually?" This can at least give insight into their control competence.

    Anyone else have thoughts on this?