High-risk vendors can be very complex, so it might be challenging to create a single questionnaire that addresses every risk area you need to assess. On the other hand, it might be too labor-intensive to create a unique questionnaire for every vendor.
I would recommend something in the middle of what you're describing – starting off with a standardized questionnaire and building upon that with additional questions related to specific risk areas and/or vendor types. Standard Information Gathering (SIG) questionnaires are a common suggestion for high-risk vendors because they include a variety of questions around areas like cybersecurity, privacy, IT, and business resiliency. National Institution of Standards and Technology (NIST) also offers a variety of assessment tools that are designed to determine whether a vendor's practices are aligned to their cybersecurity framework.
Common cybersecurity questions to ask might include:
1. What type of security testing do you perform and how often?
2. How does your organization destroy or dispose of expired media?
3. Does your organization have a formal incident response plan in place? If yes, when was it last tested?
In addition to these standardized questionnaires, your organization may want to assess other risk categories like ESG or AI. You can find sample questionnaires online and adapt those questions for your own use.
Here are a few sample questions that may be appropriate for a vendor questionnaire on AI risk:
- Is AI technology used as a component of or in the research, development, or production of any of your products or services?
- Does your organization use AI to handle or store any sensitive data?
- Does your organization have policies in place for employee use of AI? If yes, please attach.
You may also want to assess certain vendor types like cloud service providers (CSPs). Cloud Security Alliance offers the Consensus Assessment Initiative Questionnaire (CAIQ), which can help you determine the types of controls your CSPs have in place.
I hope some of these tips are helpful, and I'd love to see what others recommend.
Original Message:
Sent: 06-18-2024 04:10 PM
From: Anonymous Member
Subject: Risk Assessment Questionnaire for High Risk Vendor
This message was posted by a user wishing to remain anonymous
Would anyone be willing to share their risk assessment questionnaire for high-risk vendors? Are you all creating unique ones for each high-risk vendor or have a go-to one for all high-risk vendors? Any assistance would be greatly appreciated.