Choosing vendors is not only a business decision—it is a security decision. A vendor security questionnaire is a standardized set of questions your organization sends to third parties to evaluate security posture, compliance practices, and risk exposure before onboarding.

Whether you are building an IT security questionnaire from scratch or refining an existing template, the right questions surface gaps early—before sensitive data leaves your environment.

This guide covers 10 essential questions with example strong answers and red flags to watch for.

This guide covers:

What a vendor security questionnaire is and when to use it
10 questions with practical examples
How to handle concerning responses
How SecureSlate scales vendor reviews and questionnaire workflows

When the vendor says “we take security seriously”

GIF via GIPHY

Related guides:

Key takeaways

A vendor security questionnaire standardizes third-party due diligence before contracts and data sharing.
Strong questionnaires go beyond yes/no—ask for evidence (reports, policies, metrics, timelines).
Certifications, encryption, incident response, and subcontractor governance are non-negotiable for high-risk vendors.
Vague answers (“industry standard encryption”) are a signal to dig deeper or tier the vendor higher for review.
If responses stay weak after clarification, do not onboard—your vendors reflect your security posture.
SecureSlate supports vendor risk workflows and questionnaire automation so teams focus on decisions, not document chasing.

What is a vendor security questionnaire?

A vendor security questionnaire (sometimes called a third-party security assessment or supplier security review) is a document—often a spreadsheet or portal form—used to evaluate whether a vendor can protect your data and meet your compliance obligations.

Typical use cases:

Pre-contract due diligence for SaaS, cloud, and outsourced processors
Annual re-assessment for critical vendors
Post-incident or post-breach re-evaluation
Regulatory-driven third-party risk programs (GDPR processors, HIPAA business associates, DORA ICT providers)

Pair questionnaires with risk tiering: not every vendor needs all 10 questions at equal depth—but critical vendors handling customer or regulated data should answer every item with evidence.

10 essential security questionnaire questions

1. What security certifications and standards do you adhere to?

Why ask: Frameworks like ISO/IEC 27001, SOC 2, and privacy regimes such as GDPR show the vendor has mapped controls to a recognized baseline—not ad hoc security theater.

Example strong answer:
“We maintain SOC 2 Type II (security and availability) with report date March 2026, and ISO 27001:2022 certification. GDPR DPA available on request. Reports shared under NDA via our trust portal.”

Red flags:
“We follow best practices” with no report, expired attestation, or refusal to share under NDA for enterprise deals.

2. How do you handle data encryption in transit and at rest?

Why ask: Encryption limits exposure if networks or storage are compromised. You need specifics on algorithms, key management, and scope (which data, which environments).

Example strong answer:
“TLS 1.2+ for data in transit; AES-256 at rest for production databases and object storage. Keys managed via cloud KMS with annual rotation and separation of duties for administrative access.”

Red flags:
“SSL encryption” without version or scope; no encryption at rest for sensitive categories; customer data in non-production without controls.

3. Can you provide details on your incident response plan?

Why ask: Breaches happen. A mature vendor can detect, contain, remediate, and notify on defined timelines.

Example strong answer:
“We maintain a documented IR plan tested annually. Roles include security lead, legal, and communications. Customer notification within contractually defined windows (e.g., 72 hours where GDPR applies). Post-incident reviews feed control improvements.”

Red flags:
No written plan; undefined notification timelines; no tabletop exercises; inability to describe forensic preservation steps.

4. How often do you conduct vulnerability assessments?

Why ask: New vulnerabilities appear daily. Frequency and scope show whether the vendor finds weaknesses before attackers do.

Example strong answer:
“Continuous automated scanning on production assets; quarterly authenticated scans; annual third-party penetration test. Critical findings remediated per SLA (e.g., 7 / 30 / 90 days by severity).”

Red flags:
“When needed” or annual-only unauthenticated scans for internet-facing SaaS; no remediation SLAs; pentest summaries not available to customers.

5. What are your access control policies?

Why ask: Access control limits who can touch your data. You need provisioning, MFA, least privilege, and offboarding.

Example strong answer:
“Role-based access with manager approval for production systems. MFA enforced for all workforce and admin accounts. Joiner/mover/leaver process within 24 hours for terminations. Quarterly access reviews for privileged roles.”

Red flags:
Shared admin accounts; no MFA on admin consoles; delayed deprovisioning; contractors with standing privileged access without review.

6. How do you ensure the security of third-party vendors and subcontractors?

Why ask: Your vendor’s vendors become your risk. Regulations often require flow-down of security and privacy obligations.

Example strong answer:
“We maintain a subprocessor register updated within 30 days of changes. Critical subprocessors undergo security review equivalent to our customer tiering. Contracts include security, breach notification, and audit clauses.”

Red flags:
“We don’t use subcontractors” for a cloud SaaS (unlikely); no subprocessor list; no contractual security terms with vendors handling customer data.

See GDPR, NIS 2, and DORA: third-party risk when financial or EU ICT supply chains apply.

7. What are your policies regarding data retention and deletion?

Why ask: Retention defines how long your data lives and whether deletion is secure and provable—key for GDPR, CCPA, and contract exit.

Example strong answer:
“Retention follows customer contract and legal minimums. On termination, production data deleted within 90 days with certificate available; backups purged on rolling schedule. Legal hold process documented.”

Red flags:
Indefinite retention “for analytics”; no deletion SLA on contract exit; inability to explain backup retention vs production.

8. How do you manage and secure endpoints and devices?

Why ask: Laptops and mobile devices are common attack paths. Endpoint controls protect credentials and customer data on workforce devices.

Example strong answer:
“MDM on corporate devices; disk encryption; EDR deployed; OS patches within 14 days for critical CVEs; firewall and screen lock policies enforced.”

Red flags:
BYOD without controls for roles with production access; no patch cadence; antivirus-only posture for engineering staff with secrets access.

9. Please provide an example of a past security incident that impacted customers and how it was resolved.

Why ask: Past response predicts future behavior. Transparency (within reason) builds trust; evasion suggests immaturity.

Example strong answer:
“In 2024 we had a misconfigured storage bucket identified by internal monitoring within 4 hours. Affected customers notified per policy; root cause was IAM policy gap—we added automated drift detection and quarterly access reviews. Summary available under NDA.”

Red flags:
“We’ve never had an incident” for a mature SaaS with no detail; refusal to discuss any customer-impacting event; blame-shifting without remediation evidence.

Note: Absence of incidents is not proof of security—combine this question with independent attestations and technical evidence.

10. What training and awareness programs are in place for your employees?

Why ask: Humans cause most incidents. Training and phishing simulations show security culture, not only policies on paper.

Example strong answer:
“Annual security training for all staff; role-based modules for engineering and support; quarterly phishing simulations with remedial training for failures; secure coding training for SDLC roles.”

Red flags:
Onboarding-only training; no phishing program; no evidence of completion rates or escalation for repeat failures.

What to do if responses raise concerns

Clarify in writing — Ask follow-ups tied to specific gaps (e.g., “Provide SOC 2 report date and scope” or “Define encryption at rest for tenant databases”).
Request evidence — Policies, pentest summaries, subprocessors list, or certification reports under NDA.
Re-tier the vendor — Increase monitoring, limit data scope, or require remediation milestones before production access.
Escalate internally — Legal, security, and procurement should align on accept / remediate / reject.
Consider alternatives — If answers stay vague after reasonable follow-up, another vendor may be lower risk than compensating controls.

Vendors are an extension of your program. Weak third-party posture becomes your audit finding, breach notification, and customer trust problem.

Automate vendor security reviews with SecureSlate

Asking the right questions is step one. Managing vendor risk at scale is step two.

SecureSlate helps teams run third-party risk and security reviews without endless email threads:

Vendor inventory and risk tiering so critical suppliers get deeper questionnaires
Structured assessments aligned to SOC 2, ISO 27001, HIPAA, GDPR, and custom control sets
Evidence collection and continuous monitoring through 200+ integrations
Action tracking with owners and due dates when vendors must remediate gaps
Questionnaire workflows to standardize reviews—and accelerate responses when customers send questionnaires to you

When prospects ask for your security posture, centralized evidence and repeatable answers shorten sales cycles—similar to publishing a trust center narrative without rebuilding answers from scratch each time.

Get started for free

FAQ

What is the difference between a security questionnaire and a SOC 2 report?

A questionnaire is your custom due diligence. A SOC 2 report is an independent auditor’s opinion on controls over a period. Use both—questionnaires fill gaps reports do not cover (subprocessors, retention, training).

How many questions should a vendor security questionnaire include?

Tier by risk. Low-risk vendors may need 15–25 questions; critical vendors often need 50+ plus evidence requests. These 10 questions are a core baseline for any vendor handling sensitive data.

Who should own the vendor security questionnaire process?

Typically security or GRC designs questions; procurement enforces timing; legal reviews contracts; business owners attest to vendor necessity and data scope.

Can we accept a vendor’s SOC 2 instead of a full questionnaire?

For some low-touch vendors, a current SOC 2 plus DPA may suffice. For high-risk processors, still ask targeted questions on subprocessors, retention, incidents, and AI use.

How often should we re-send security questionnaires?

Annually for critical vendors; on material change (new subprocessors, breach, major product pivot); and at contract renewal.

What if the vendor uses AI on our data?

Add questions on model training, subprocessors, human review, and regional compliance (EU AI Act, GDPR). See the AI vendor questionnaire.

Disclaimer (legal note)

SecureSlate is not a law firm, and this article does not constitute legal advice. Questionnaire content should be tailored to your industry, contracts, and regulatory obligations. Certification and incident examples are illustrative—verify all vendor claims independently before granting access to sensitive data.

10 important questions to add to your security questionnaire (with examples)