Risk Assessments

Would anyone be open to sharing which control frameworks your company evaluates your third parties against? For instance, do utilize controls from NIST or ISO 27001 ISO 22301 (business continuity) or the SIG to evaluate your vendor's controls?  Do you utilize a subset of controls from multiple frameworks, or do you utilize a custom control framework/questionnaire?  I realize the level of due diligence and number of controls/questions will greatly depend on the level of risk/criticality.  How many controls are too many to evaluate before it becomes overly burdensome?  The full SIG for example seems excessive with over 800 questions. 

I work in a financial services organization. Any help is greatly appreciated!

We use a mix of NIST and our our own controls/questions.  I'm in the Financial industry too but in a lightly regulated industry, so we do what makes sense for our company.  We are finding more and more third-parties do not want to respond to risk assessments and instead point us to their published trust centers or other documentation.  This trend is forcing us to really focus on what is within our risk tolerance and what we are not as concerned about.