How to fill a vendor security risk assessment questionnaire

We can help you fill the security questionnaires you receive from your clients. Here is a short video to summarize and augment this article:

Filling the security questionnaire adequately will help you win your client’s business or comply with their requirements to continue working with them.

The article will require you to do a lot of work – but the results will be worth it.

Sometimes the document may be named “Supplier onboarding checklist,” but its purpose remains the same – to assess your readiness to handle cybersecurity risks.

If you need to know how to fill such a questionnaire, which sometimes can contain up to 290 questions, you have come to the right place.

Before you begin, there are a few things you should know:

  • Every answer you give makes you legally liable for non-compliance in the event of a breach
  • Many questions will sound alien, and your team will have no idea what they are about – do your research before answering
  • Answering some questions with a “yes” will require you to go through complex and sometimes expensive projects. Make sure you communicate with your client about these questions – perhaps they are not critical to them in your specific case.
  • Cybersecurity may be a completely new field for your entire team. Answering “compliant” may require people to change the way they do their job. Expect resistance. We can help you deal with the opposition in a smooth, productive way.

For smaller vendors, it is an impossible task to fill such a questionnaire by themselves. Each time they do, the result may sound logical to them but completely discredits them in their client’s eyes, who has a well-trained and experienced security team and can quickly spot when you pull answers out of thin air.

We helped our more prominent (8000+ employees) clients create similar questionnaires and vendor assessment processes to evaluate their partners and vendors. If you read this article carefully and follow it, you will have no problem filling the security risk assessment checklist you have just received.

Smaller vendors often fail to see the potential of diligently filling the questionnaire. They see such questionnaires as a bore, a bureaucratic obstacle that slows down their business and is annoying to their IT department.

What if you transformed your company and its IT operations to be secure? What if you ensured you stored and processed client data safely?

And we are not talking about “secure according to ISO 27001” or other auditing standards – we are using the word “secure” in the context of practical, actual security. Where you would go beyond a simple checkbox approach “We have 2-factor authentication” to “The 2-factor authentication we use is user-friendly and difficult to bypass, that is why we feel it is a good and secure approach”.

Here is a video that discusses 2fa bypasses in detail:

If you watch the video, you will understand where is the limitation of security checklists. They ask you the basics. “Do you have 2fa?”. Our recommendation to you, when researching how to fill a security questionnaire, is to dig deeper and answer them with greater detail.


Because by digging deeper, as in the 2FA example above, if you go beyond the basics, you will impress the client. Imagine their satisfaction if you fill the questionnaire with “We have a bypass-resistant 2FA method” instead of just “Yes.”

Impressing your potential client usually means winning their business.

If you fill the first one correctly, you will always fill similar questionnaires and checklists in the way your clients expect; you would instantly rise above your competition.

You will win business that 99% of your competitors will not, simply because they see such checklists as bureaucracy and a waste of time.

Be the exception, become secure, build your information security program, and you will always have the perfect answer to any client’s cybersecurity questions.

How to review the checklist or questionnaire before you start working on it

When you open the Excel spreadsheet or the online questionnaire, you will be presented with an overview and instructions on how to provide your answers.

Usually, it looks like this:

how to fill security questionnaire 1


Or like this:

how to fill security questionnaire 2

In Excel files, the instructions are usually in the first or second sheet. In online systems, you can usually find instructions for each section or particular question.

Sometimes, they may even include a diagram like the one below:

how to fill a vendor security questionnaire 3

Spend enough time to understand the instructions, and do not start filling in the file until you are sure you know how to do it. If you have questions, now is a good time to refer them to the person or company who sent you the file.

Some questions are more important than others. For example:

how to fill a vendor security questionnaire 4

In this case, you see that Identity and Access Management is placed first, and the file asks you a generic question about your authentication and access management. This topic is the cornerstone of every security program, and you do not know how to answer this, which means you have very few controls in place and represent a significant risk as a vendor to your client.

Instead of trying to fix the answer and come up with something believable, we suggest that you try and implement an actual Identity and Access Management program in your company. It will serve you first and, as a result, provide value to your clients.

You can use the questions in such a questionnaire as a free security audit! Take advantage of not paying for the audit and do your research on what you should do and implement risk mitigation controls to impress your clients every time they send you such questionnaires and checklists.

Here is one more example of a vendor security questionnaire that we helped some of our clients become compliant with and then fill appropriately:

how to fill a vendor security questionnaire 6

Many of these questions have a deeper meaning – usually, your client wants to see your answer and the processes and procedures along with the answer. “Yes, we encrypt our data” is much less valuable than “Yes, we encrypt our disks with BitLocker/AES 256, and we encrypt our traffic by encapsulating it in TLS 1.2 which is the minimum acceptable level of encryption according to our policies and procedures”.


How to answer NIST 800-53 security questionnaires


How to answer ISO 27001 security questionnaires


How to answer 3rd party vendor security risk assessment questionnaires


Should you answer that question with “No”?

Answering “No” is more straightforward but can lead to misunderstanding on your client’s side.

Imagine being in their shoes, reading the filled security questionnaire, and seeing “no” everywhere.

Now compare that with the situation where you ask for clarifications about the criticality of missing the control or even ask their advice on prioritizing specific security control implementation to answer critical questions positively.

“Do you have a Data Leakage Protection?” might be the question. You may answer “No” to that.

But you may also ask, “Considering the ease with which DLP systems can be bypassed and the fact that we use this and that compensating control, can we mark this question’s answer as “Not Applicable” in our situation?”.

Hopefully, you see the difference between the two approaches.

Remember, you are not the last link in the chain. You got this questionnaire file because your client must comply with security rules and regulations and maintain a list of security vendors.

They cannot demand ultimate and perfect security from their vendors because even your client is not 100% secure. They know that.

Instead of simply answering “no,” use any or a combination of the strategies above.

Mark the questions you believe would be relevant for such an approach as “need clarification,” ask them which questions you should focus on, and ask them which security controls are a deal-breaker if missing.

Then focus on implementing these security controls, and then you will be able to answer positively in the questionnaire. Just like that, all sides have what they need, and everyone is happy!

Sometimes you might have budget constraints – and your clients will understand that, especially if you show them the compensating controls you have implemented.



Categories Uncategorized

Third party risk assessments – are you doing them wrong?

third party risk assessment blame

Third-party risk assessment companies pop up everywhere like mushrooms after a summer rain. Does your responsibility end with using one to qualify a vendor against your security standards? Vendors get hacked all the time, and companies like Apple blame vendors like Quanta for the breaches they experience. After all, Quanta Computer Inc. passed the third-party … Read more

How to find and hire a great CISO

become a cyber knight

In-house recruiters, CTOs, and executives everywhere are wondering: How to find and hire a great CISO to join their team, and if you are reading this – you are likely among them. Faced with the challenge of not having a dozen available CISOs in their network of friends and acquaintances, many start posting job ads … Read more

Here is what to do if hackers encrypted your NAS server

hackers encrypted NAS server

“Our QNAP NAS server was hacked and encrypted. Please help! Can we recover our data?” Here is how you can recover files from a hacked and encrypted NAS server. It doesn’t necessarily need to be QNAP – but that brand was hit particularly badly in June 2020. Please take note – the server is a … Read more

Information Security Consultants Require Efficiency Controls To Be Effective

Information Security Consultants Require Efficiency

Significant losses can occur if you choose your information security consultants at random and have no clear plan and strategy of working with them. Here is a procedure for selecting a consultant, working with them, and controlling their performance throughout the duration of your project.  Efficient work means clarity of expectations on both sides and proper controls … Read more

Block exploits and malware by blocking ad networks and ads

Exploits and malware – sometimes even highly advanced ones – are sometimes distributed via ad networks and hacked websites. And while you can’t control the latter even if you have a whitelist policy on your web proxy, you can control which ads are seen in your network. The way it works:  Hackers know, that every … Read more

Six ways to protect your law firms data

The common elements across all law firms when it comes to protecting them from hacking attacks are:  Your document management system Your case management system Your filing system Printing management systems File sharing and collaboration Phone management systems Email – and in many cases, if a hacker gains access to someone’s email, they also gain … Read more

Top 10 of the best european cybersecurity consulting companies

eu cybersecurity companies

Every country in the European Union has its own local cybersecurity consulting companies. Atlant Security is one of them.  How to identify a good cybersecurity consulting company? The most important criteria when making a selection between multiple cybersecurity consulting companies is their business model. Do they primarily perform penetration tests with the aim of reselling … Read more