Photo: Unsplash
If you are building a vendor security questionnaire process from scratch, you do not need to start with a 1,500-question SIG. Most SaaS teams need a repeatable baseline that procurement, security, and auditors can trust—without blocking every low-risk tool purchase for six weeks.
This SIG-lite workbook gives you 30 scored questions across 10 control domains, auto-calculated risk ratings, and a vendor register so third-party reviews stay consistent from onboarding through renewal.
This guide covers:
- What a vendor security questionnaire is and when auditors expect one
- How SIG-lite compares to full SIG, CAIQ, and custom questionnaires
- A vendor tiering model so review depth matches data access and business impact
- A step-by-step workflow from intake to approval
- All 30 template questions by domain, plus scoring bands and evidence prompts
- How to pair completed questionnaires with SOC 2 report reviews

GIF via GIPHY
Related guides:
- learn tprm supply chain security
- red flag due diligence
- risk assessment template
- learn tprm vendor risk assessment process
- learn tprm how to review vendor soc report
Key takeaways
- A vendor security questionnaire standardizes how you assess third parties before procurement and on renewal—not ad hoc email threads.
- This SIG-lite workbook includes 30 questions across 10 domains with auto-calculated risk scores and Low / Medium / High / Critical ratings.
- Tier vendors first. A marketing analytics tool with no customer data should not get the same depth as your primary database host.
- The Vendor Summary tab tracks approval status, assessor, and next review dates in one register auditors can sample.
- Pair each completed file with the vendor's SOC 2 Type II report (or equivalent) and remediation tickets for any flagged gaps.
- SecureSlate helps automate vendor inventories, assessment workflows, and evidence collection so TPRM does not live in orphaned spreadsheets.
What is a vendor security questionnaire?
A vendor security questionnaire is a structured set of questions you send to a supplier before—or during—a business relationship to understand how they protect data, operate security controls, and respond to incidents.
It is the operational backbone of third-party risk management (TPRM). Instead of asking "is this vendor safe?" in a Slack thread, you document:
- What data the vendor can access
- Which security controls they operate
- What attestations they hold (SOC 2, ISO 27001, etc.)
- How they handle breaches, backups, and sub-processors
- Who approved the risk and when the next review is due
Auditors, enterprise customers, and regulators commonly expect proof that you assess vendors proportionally to risk—not that you reviewed everyone identically.
When you need a vendor security questionnaire
Send a questionnaire (or equivalent attestation review) when a vendor meets any of these triggers:
| Trigger | Typical examples | Review depth |
|---|---|---|
| New procurement | Cloud host, payment processor, HRIS, AI API | Full SIG-lite or higher for Tier 1–2 |
| Scope change | Vendor now stores customer PII, connects to production | Re-assess before contract amendment |
| Contract renewal | Annual SaaS renewal for in-scope tools | Refresh questionnaire + SOC report |
| Incident or breach | Vendor discloses security event | Targeted follow-up + remediation plan |
| Audit or customer review | SOC 2 Type II, ISO surveillance, enterprise DDQ | Produce completed file + evidence bundle |
| M&A or divestiture | Inherited vendor list | Inventory first, then tiered assessments |
If procurement is moving faster than security can review, use a conditional approval: allow limited pilot access while the questionnaire is in flight, with a hard deadline before production data flows.
SIG-lite vs full SIG and other formats
Teams often debate which questionnaire format to standardize on. Here is a practical comparison:
| Format | Question count | Best for | Trade-off |
|---|---|---|---|
| SIG-lite (this template) | ~30 | SaaS startups, initial screening, Tier 2–3 vendors | May not satisfy highly regulated enterprise DDQs alone |
| Full SIG (Shared Assessments) | 800+ | Banks, healthcare, Tier 1 critical vendors | Heavy for low-risk tools; long vendor turnaround |
| CAIQ (Consensus Assessments) | ~200+ | Cloud service providers, CSA STAR | Cloud-focused; less coverage for non-cloud vendors |
| Custom internal questionnaire | Varies | Mature TPRM programs with specific control library | Maintenance burden; harder to benchmark |
| SOC 2 report only | N/A (attestation) | Vendors with current Type II | Does not cover your unique data flows or sub-processor list |
Practical rule: Start with SIG-lite for screening. Escalate to full SIG, pen test review, or onsite assessment when the vendor is Tier 1, handles regulated data, or fails multiple scored questions.
Framework control mappings
This template aligns with common auditor expectations across major frameworks:
| Framework | Relevant control / criterion | How this template supports it |
|---|---|---|
| SOC 2 (TSC) | CC9.2 — vendor and business partner risk | Documented assessment, scoring, approval, renewal tracking |
| ISO 27001:2022 | A.5.19–A.5.22 — supplier relationships | Questionnaire responses + evidence prompts per domain |
| ISO 27001:2022 | A.5.23 — ICT supply chain | Third-Party Risk domain covers sub-processors |
| NIST CSF 2.0 | GV.SC — supply chain risk management | Tiering + register demonstrate risk-based approach |
| HIPAA | §164.308(b)(1) — business associate safeguards | Use for BAAs; pair with BAA terms and SOC report |
| GDPR | Art. 28 — processor due diligence | Document assessment before engaging processors |
| PCI DSS v4 | Req. 12.8 — service provider management | Tier payment processors; retain assessment evidence |
Store completed questionnaires in the same evidence library as your risk assessment template and vendor inventory so auditors see a connected program—not one-off files.
What makes this template useful
- SIG-lite coverage: Governance, access control, data security, vulnerability management, incident response, business continuity, compliance, third-party risk, physical security, and personnel security.
- Weighted scoring: Each question contributes to a total score; the
Scoringtab rolls results into Low, Medium, High, or Critical ratings with recommended actions. - Evidence prompts: The Notes / Evidence Required column tells assessors what to request—policy name, SOC 2 report, pen test summary, last review date.
- Vendor register: Track category, risk tier, assessment date, score %, next review, approver, and status in one place.
- Document control:
OverviewandVersion & Approvaltabs give auditors version history and sign-off—what makes a spreadsheet credible in fieldwork. - No lock-in: Excel format works offline, duplicates per vendor, and exports to PDF for customer security reviews.
Vendor tiering model
Do not send the same questionnaire depth to every SaaS login. Tier vendors by data sensitivity and business impact, then match review effort:
| Tier | Data access profile | Examples | Questionnaire depth | Re-assessment cadence |
|---|---|---|---|---|
| Tier 1 — Critical | Customer PII/PHI, production data, auth, payments | Primary DB, IdP, payment gateway, core AI with customer data | SIG-lite + SOC 2 Type II + contract review; consider full SIG | Annually |
| Tier 2 — High | Internal business data, limited customer metadata | CRM, support desk, analytics with pseudonymized data | SIG-lite + SOC 2 or ISO cert | Every 12–18 months |
| Tier 3 — Medium | No customer data; employee or operational data | HR tools, expense software, internal wiki | Abbreviated SIG-lite or security page + privacy policy | Every 2 years |
| Tier 4 — Low | No sensitive data; easily replaceable | Stock photos, social scheduling, dev utilities | Vendor trust page / SOC 3 / questionnaire waiver with approval | On change or every 3 years |
Record the tier in the Vendor Summary tab before sending questions. If a Tier 4 vendor later gains access to customer data, re-tier and re-assess immediately.
Download the template
- Download: Vendor Security Questionnaire (XLSX)
How to deploy:
- Save a master copy; duplicate the file (or
Questionnairetab) per vendor assessment. - Fill document control on
Overviewand set vendor name on theScoringtab. - Send questions to the vendor security contact—or complete internally if you are reviewing their SOC 2 report against the same control areas.
- File the completed workbook in your evidence library with the vendor's attestation reports.
Step-by-step assessment workflow
Use this eight-step workflow for every in-scope vendor:
- Intake — Procurement or engineering submits vendor name, purpose, data types, and integration scope.
- Tier — Security or GRC assigns Tier 1–4 using the model above; record in
Vendor Summary. - Select format — SIG-lite for most vendors; escalate format for Tier 1 or regulated data.
- Send questionnaire — Include deadline (typically 10–15 business days), point of contact, and evidence upload instructions.
- Score responses — Mark Yes/No/N/A, set Risk Flag on gaps, capture evidence in Notes column.
- Review attestation — Cross-check answers against SOC 2, ISO certificate, or pen test summary.
- Decision — Approve, approve with conditions, or reject based on
Scoringtab rating; document approver. - Monitor and renew — Set
Next Reviewdate; re-assess on renewal, scope change, or incident.
Flag any Risk Flag = Yes row for remediation tracking. Do not mark a vendor Approved until gaps have compensating controls, a remediation plan with due dates, or executive sign-off for accepted risk.
Tab-by-tab walkthrough
Overview
Document control for the assessment program: organization name, document owner, version, classification, and review dates. Set this once on your master template so every vendor file inherits consistent metadata.
Version & Approval
Version history table plus approval sign-off rows for Prepared By, Security Team, Legal/DPO, CISO, and Executive Sponsor. Auditors sample this tab to confirm management oversight of the vendor risk process.
Questionnaire
The working tab. Columns include #, Domain, Question, Response, Yes/No/N/A, Risk Flag, Notes / Evidence Required, and Score. Work top to bottom; do not skip evidence prompts—even a "Yes" answer should cite the artifact (policy name, report date, etc.).
Scoring
Auto-calculated summary: Total Possible Score, Score Achieved, Score %, and Risk Rating. Fill Vendor Name, Assessment Date, and Assessor before sharing results with procurement.
Rating bands in the template:
| Score % | Rating | Recommended action |
|---|---|---|
| ≥ 90% | Low Risk | Proceed with standard monitoring |
| 75–89% | Medium Risk | Proceed with enhanced monitoring |
| 50–74% | High Risk | Remediation plan required before approval |
| < 50% | Critical Risk | Do not engage without executive approval |
Vendor Summary
Your vendor register. Track Vendor Name, Category, Risk Tier, Assessment Date, Score %, Risk Rating, Next Review, Approved By, and Status (Approved, Under Review, Rejected). Sample rows are included—replace with your production vendor list.
Domain and question reference
The template contains 30 questions across these domains. Use this reference when scoping assessments or briefing procurement on what vendors will be asked.
Governance (3 questions)
| # | Question | Evidence to request |
|---|---|---|
| 1 | Does the vendor have a documented Information Security Policy? | Policy name and last review date |
| 2 | Is there a designated CISO or security lead? | Name and title |
| 3 | Does the vendor have a risk management program? | Process description and cadence |
Access control (4 questions)
| # | Question | Evidence to request |
|---|---|---|
| 4 | Is MFA enforced for all remote access? | MFA solution used |
| 5 | Are privileged accounts reviewed quarterly? | Last review date |
| 6 | Is access provisioning tied to a formal onboarding process? | Process description |
| 7 | Are access rights revoked within 24 hours of termination? | Offboarding process |
Data security (4 questions)
| # | Question | Evidence to request |
|---|---|---|
| 8 | Is customer data encrypted at rest (AES-256 or equivalent)? | Encryption approach |
| 9 | Is data encrypted in transit (TLS 1.2+)? | TLS version |
| 10 | Does the vendor have a data classification policy? | Classification tiers |
| 11 | Are data retention and deletion procedures documented? | Policy document |
Vulnerability management (3 questions)
| # | Question | Evidence to request |
|---|---|---|
| 12 | Is there a formal patch management process? | SLA for critical patches |
| 13 | Are vulnerability scans performed at least quarterly? | Last scan date |
| 14 | Is penetration testing performed annually? | Last pentest date and scope |
Incident response (3 questions)
| # | Question | Evidence to request |
|---|---|---|
| 15 | Does the vendor have a documented Incident Response Plan? | Copy of IR plan |
| 16 | What is the vendor's breach notification timeline? | SLA (e.g., 72 hours) |
| 17 | Has the vendor experienced a security incident in the last 24 months? | Summary if yes |
Business continuity (3 questions)
| # | Question | Evidence to request |
|---|---|---|
| 18 | Does the vendor have a Business Continuity Plan? | Last test date |
| 19 | What is the vendor's target RTO? | RTO commitment |
| 20 | Are backups tested at least annually? | Last restoration test date |
Compliance (3 questions)
| # | Question | Evidence to request |
|---|---|---|
| 21 | Does the vendor hold SOC 2 Type II certification? | Current SOC 2 report |
| 22 | Is the vendor ISO 27001 certified? | Certificate |
| 23 | Does the vendor comply with applicable data protection regulations? | List of regulations |
Third-party risk (2 questions)
| # | Question | Evidence to request |
|---|---|---|
| 24 | Does the vendor conduct security reviews of their sub-processors? | Process description |
| 25 | Are sub-processors disclosed to customers? | List of key sub-processors |
Physical security (2 questions)
| # | Question | Evidence to request |
|---|---|---|
| 26 | Are data centres certified (e.g., SOC 2, ISO 27001, Tier III+)? | Certification details |
| 27 | Is physical access to sensitive areas controlled and logged? | Access control description |
Personnel and security training (3 questions)
| # | Question | Evidence to request |
|---|---|---|
| 28 | Is mandatory security awareness training provided to all staff? | Training cadence |
| 29 | Is phishing simulation conducted at least annually? | Last simulation date |
| 30 | Are background checks conducted for staff with data access? | Screening process |
Scoring methodology
Each question carries a weighted score when answered Yes (full credit), No (zero credit), or N/A (typically excluded from denominator—confirm your program policy). The Scoring tab calculates:
- Total Possible Score — sum of applicable question weights
- Score Achieved — sum of earned points
- Score % — achieved ÷ possible
- Risk Rating — mapped to Low / Medium / High / Critical bands
How to use scores in decisions:
- Low (≥ 90%) — Standard contract terms; annual monitoring.
- Medium (75–89%) — Approve with enhanced monitoring; verify flagged items within 90 days.
- High (50–74%) — Require remediation plan with owners and due dates before production access.
- Critical (< 50%) — Escalate to CISO and executive sponsor; do not proceed without documented risk acceptance.
Scores are a decision aid, not a substitute for judgment. A vendor scoring 85% with a failed breach-notification question may still be unacceptable for Tier 1 processing.
Evidence checklist by vendor tier
Minimum evidence to collect alongside the completed questionnaire:
| Evidence artifact | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
| Completed SIG-lite workbook | ✅ | ✅ | ✅ | Optional |
| SOC 2 Type II (or equivalent) | ✅ Current | ✅ | If available | Optional |
| ISO 27001 certificate | If claimed | If claimed | Optional | — |
| Pen test executive summary | ✅ Annual | If available | — | — |
| Sub-processor list | ✅ | ✅ | If data processed | — |
| Signed DPA / BAA | ✅ | ✅ | If PII | — |
| Insurance certificate (cyber) | ✅ | Optional | — | — |
| Remediation tickets for gaps | ✅ | ✅ | If gaps | — |
Store artifacts in a single vendor folder named {vendor}-{assessment-date} so audit sampling takes minutes, not days.
Pair the questionnaire with a SOC 2 report review
A questionnaire tells you what the vendor claims. A SOC 2 Type II report tells you what an auditor observed over a review period. Use both:
- Map domains — Align questionnaire rows to SOC 2 Trust Services Criteria (Security, Availability, Confidentiality, etc.).
- Cross-check exceptions — If the vendor answered "Yes" to encryption but the SOC report lists a carve-out, flag the discrepancy.
- Verify period — SOC 2 coverage must overlap your contract period; stale reports (>12 months past period end) trigger re-request.
- Read the bridge letter — Confirm no material changes since the report period.
- Track CUECs — Customer User Entity Controls are your responsibilities; document how you meet them.
See how to review a vendor SOC report for a full walkthrough.
How to use it as audit evidence
| What auditors look for | Where it lives in the template |
|---|---|
| Documented vendor assessment process | Completed Questionnaire per in-scope vendor |
| Risk-based tiering and review depth | Risk Tier column in Vendor Summary |
| Scoring methodology and decisions | Scoring tab + Status / Approved By columns |
| Renewal and ongoing monitoring | Next Review dates + dated re-assessments |
| Management oversight | Version & Approval sign-off |
| Exception and remediation handling | Risk Flag rows + linked tickets in Notes |
Audit tip: Export the Vendor Summary tab as PDF quarterly and attach it to your management review minutes. Auditors commonly sample 3–5 vendors—have files ready for Tier 1 and any vendor with open remediation.
Common mistakes
- Sending the full SIG to every vendor regardless of data access—burns vendor goodwill and your team's capacity.
- No tiering before assessment — leads to identical review depth for CDN and payroll processor.
- Risk Flag cells ignored — gaps logged but never remediated or accepted by leadership.
- Register not updated when contracts renew, scope expands, or vendors are offboarded.
- Scores reviewed once with no link to procurement approval or contract signature.
- Questionnaire-only reviews without reading the SOC 2 report—or vice versa.
- Stale assessments — file dated 18 months ago presented as current evidence.
- No named assessor or approver — auditors cannot verify who made the risk decision.
- Spreadsheet sprawl — duplicate files with no master register; use
Vendor Summaryas the single source of truth. - Conditional approvals without expiry — pilot access becomes production with no follow-up.
How SecureSlate helps
Spreadsheets work for early-stage TPRM. They break down when you have dozens of vendors, multiple frameworks, and enterprise customers requesting the same evidence every quarter.
SecureSlate centralizes vendor inventories, tiering, assessment workflows, and evidence collection so third-party risk stays current between renewals—not just before audit season.
- Vendor inventory with automatic tier suggestions based on data classification
- Questionnaire workflows with reminders, status tracking, and approval routing
- SOC report and evidence storage linked to each vendor record
- Renewal triggers when reports expire or contracts approach end date
- Audit-ready exports that connect vendor evidence to SOC 2 CC9.2 and ISO 27001 supplier controls
FAQ
Is SIG-lite enough for enterprise customers?
Often yes for initial screening and Tier 2–3 vendors. Enterprise DDQs may require additional questions, full SIG responses, or pen test summaries for Tier 1 suppliers.
How often should we re-assess vendors?
Many teams review Tier 1 annually, Tier 2 every 12–18 months, and Tier 3–4 every two to three years—or immediately on scope change or security incident.
Who approves vendor risk exceptions?
Typically the CISO or security lead, with legal and procurement for contract terms. Critical-risk vendors (< 50% score) commonly need executive sponsor sign-off.
Can we use this instead of a SOC 2 report?
No. The questionnaire complements attestation reports; it does not replace them for Tier 1 vendors handling customer data.
What if a vendor refuses to complete the questionnaire?
For Tier 1–2 vendors, treat refusal as a red flag per red flag due diligence. For Tier 4, a public trust page plus SOC 3 may suffice with documented approval.
How long should vendors have to respond?
10–15 business days is standard for SIG-lite. Tier 1 engagements may allow 3–4 weeks when coordinating SOC report sharing under NDA.
Should we score N/A responses?
Define policy upfront. Common practice: exclude N/A from the denominator when the question genuinely does not apply (e.g., physical security for a serverless-only vendor).
Does this template cover AI vendors?
The baseline questions apply. For LLM and AI API providers, add questions on training data use, model retention, prompt logging, and sub-processor chains—especially under EU AI Act compliance planning and customer AI governance requirements.
Who owns the vendor register day to day?
Typically security or GRC, with procurement submitting intake and system owners validating business justification.
Can auditors accept Excel evidence?
Yes, when document control, version history, and approver sign-off are complete. PDF exports with evidence attachments strengthen the audit trail.
Disclaimer (legal note)
This article is for general information only and is not legal, regulatory, or professional advice. Requirements vary by framework, industry, and jurisdiction. Consult qualified advisors for your specific obligations.
Need compliance without the complexity?
SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.
No credit card required
