Back to Templates

Vendor Security Questionnaire Template: Free SIG-lite Excel Download

Vendor security questionnaire template hero Photo: Unsplash

If you are building a vendor security questionnaire process from scratch, you do not need to start with a 1,500-question SIG. Most SaaS teams need a repeatable baseline that procurement, security, and auditors can trust—without blocking every low-risk tool purchase for six weeks.

This SIG-lite workbook gives you 30 scored questions across 10 control domains, auto-calculated risk ratings, and a vendor register so third-party reviews stay consistent from onboarding through renewal.

This guide covers:

  • What a vendor security questionnaire is and when auditors expect one
  • How SIG-lite compares to full SIG, CAIQ, and custom questionnaires
  • A vendor tiering model so review depth matches data access and business impact
  • A step-by-step workflow from intake to approval
  • All 30 template questions by domain, plus scoring bands and evidence prompts
  • How to pair completed questionnaires with SOC 2 report reviews

Vendor security review paperwork

GIF via GIPHY

Related guides:

Key takeaways

  • A vendor security questionnaire standardizes how you assess third parties before procurement and on renewal—not ad hoc email threads.
  • This SIG-lite workbook includes 30 questions across 10 domains with auto-calculated risk scores and Low / Medium / High / Critical ratings.
  • Tier vendors first. A marketing analytics tool with no customer data should not get the same depth as your primary database host.
  • The Vendor Summary tab tracks approval status, assessor, and next review dates in one register auditors can sample.
  • Pair each completed file with the vendor's SOC 2 Type II report (or equivalent) and remediation tickets for any flagged gaps.
  • SecureSlate helps automate vendor inventories, assessment workflows, and evidence collection so TPRM does not live in orphaned spreadsheets.

What is a vendor security questionnaire?

A vendor security questionnaire is a structured set of questions you send to a supplier before—or during—a business relationship to understand how they protect data, operate security controls, and respond to incidents.

It is the operational backbone of third-party risk management (TPRM). Instead of asking "is this vendor safe?" in a Slack thread, you document:

  • What data the vendor can access
  • Which security controls they operate
  • What attestations they hold (SOC 2, ISO 27001, etc.)
  • How they handle breaches, backups, and sub-processors
  • Who approved the risk and when the next review is due

Auditors, enterprise customers, and regulators commonly expect proof that you assess vendors proportionally to risk—not that you reviewed everyone identically.

When you need a vendor security questionnaire

Send a questionnaire (or equivalent attestation review) when a vendor meets any of these triggers:

Trigger Typical examples Review depth
New procurement Cloud host, payment processor, HRIS, AI API Full SIG-lite or higher for Tier 1–2
Scope change Vendor now stores customer PII, connects to production Re-assess before contract amendment
Contract renewal Annual SaaS renewal for in-scope tools Refresh questionnaire + SOC report
Incident or breach Vendor discloses security event Targeted follow-up + remediation plan
Audit or customer review SOC 2 Type II, ISO surveillance, enterprise DDQ Produce completed file + evidence bundle
M&A or divestiture Inherited vendor list Inventory first, then tiered assessments

If procurement is moving faster than security can review, use a conditional approval: allow limited pilot access while the questionnaire is in flight, with a hard deadline before production data flows.

SIG-lite vs full SIG and other formats

Teams often debate which questionnaire format to standardize on. Here is a practical comparison:

Format Question count Best for Trade-off
SIG-lite (this template) ~30 SaaS startups, initial screening, Tier 2–3 vendors May not satisfy highly regulated enterprise DDQs alone
Full SIG (Shared Assessments) 800+ Banks, healthcare, Tier 1 critical vendors Heavy for low-risk tools; long vendor turnaround
CAIQ (Consensus Assessments) ~200+ Cloud service providers, CSA STAR Cloud-focused; less coverage for non-cloud vendors
Custom internal questionnaire Varies Mature TPRM programs with specific control library Maintenance burden; harder to benchmark
SOC 2 report only N/A (attestation) Vendors with current Type II Does not cover your unique data flows or sub-processor list

Practical rule: Start with SIG-lite for screening. Escalate to full SIG, pen test review, or onsite assessment when the vendor is Tier 1, handles regulated data, or fails multiple scored questions.

Framework control mappings

This template aligns with common auditor expectations across major frameworks:

Framework Relevant control / criterion How this template supports it
SOC 2 (TSC) CC9.2 — vendor and business partner risk Documented assessment, scoring, approval, renewal tracking
ISO 27001:2022 A.5.19–A.5.22 — supplier relationships Questionnaire responses + evidence prompts per domain
ISO 27001:2022 A.5.23 — ICT supply chain Third-Party Risk domain covers sub-processors
NIST CSF 2.0 GV.SC — supply chain risk management Tiering + register demonstrate risk-based approach
HIPAA §164.308(b)(1) — business associate safeguards Use for BAAs; pair with BAA terms and SOC report
GDPR Art. 28 — processor due diligence Document assessment before engaging processors
PCI DSS v4 Req. 12.8 — service provider management Tier payment processors; retain assessment evidence

Store completed questionnaires in the same evidence library as your risk assessment template and vendor inventory so auditors see a connected program—not one-off files.

What makes this template useful

  • SIG-lite coverage: Governance, access control, data security, vulnerability management, incident response, business continuity, compliance, third-party risk, physical security, and personnel security.
  • Weighted scoring: Each question contributes to a total score; the Scoring tab rolls results into Low, Medium, High, or Critical ratings with recommended actions.
  • Evidence prompts: The Notes / Evidence Required column tells assessors what to request—policy name, SOC 2 report, pen test summary, last review date.
  • Vendor register: Track category, risk tier, assessment date, score %, next review, approver, and status in one place.
  • Document control: Overview and Version & Approval tabs give auditors version history and sign-off—what makes a spreadsheet credible in fieldwork.
  • No lock-in: Excel format works offline, duplicates per vendor, and exports to PDF for customer security reviews.

Vendor tiering model

Do not send the same questionnaire depth to every SaaS login. Tier vendors by data sensitivity and business impact, then match review effort:

Tier Data access profile Examples Questionnaire depth Re-assessment cadence
Tier 1 — Critical Customer PII/PHI, production data, auth, payments Primary DB, IdP, payment gateway, core AI with customer data SIG-lite + SOC 2 Type II + contract review; consider full SIG Annually
Tier 2 — High Internal business data, limited customer metadata CRM, support desk, analytics with pseudonymized data SIG-lite + SOC 2 or ISO cert Every 12–18 months
Tier 3 — Medium No customer data; employee or operational data HR tools, expense software, internal wiki Abbreviated SIG-lite or security page + privacy policy Every 2 years
Tier 4 — Low No sensitive data; easily replaceable Stock photos, social scheduling, dev utilities Vendor trust page / SOC 3 / questionnaire waiver with approval On change or every 3 years

Record the tier in the Vendor Summary tab before sending questions. If a Tier 4 vendor later gains access to customer data, re-tier and re-assess immediately.

Download the template

How to deploy:

  1. Save a master copy; duplicate the file (or Questionnaire tab) per vendor assessment.
  2. Fill document control on Overview and set vendor name on the Scoring tab.
  3. Send questions to the vendor security contact—or complete internally if you are reviewing their SOC 2 report against the same control areas.
  4. File the completed workbook in your evidence library with the vendor's attestation reports.

Step-by-step assessment workflow

Use this eight-step workflow for every in-scope vendor:

  1. Intake — Procurement or engineering submits vendor name, purpose, data types, and integration scope.
  2. Tier — Security or GRC assigns Tier 1–4 using the model above; record in Vendor Summary.
  3. Select format — SIG-lite for most vendors; escalate format for Tier 1 or regulated data.
  4. Send questionnaire — Include deadline (typically 10–15 business days), point of contact, and evidence upload instructions.
  5. Score responses — Mark Yes/No/N/A, set Risk Flag on gaps, capture evidence in Notes column.
  6. Review attestation — Cross-check answers against SOC 2, ISO certificate, or pen test summary.
  7. Decision — Approve, approve with conditions, or reject based on Scoring tab rating; document approver.
  8. Monitor and renew — Set Next Review date; re-assess on renewal, scope change, or incident.

Flag any Risk Flag = Yes row for remediation tracking. Do not mark a vendor Approved until gaps have compensating controls, a remediation plan with due dates, or executive sign-off for accepted risk.

Tab-by-tab walkthrough

Overview

Document control for the assessment program: organization name, document owner, version, classification, and review dates. Set this once on your master template so every vendor file inherits consistent metadata.

Version & Approval

Version history table plus approval sign-off rows for Prepared By, Security Team, Legal/DPO, CISO, and Executive Sponsor. Auditors sample this tab to confirm management oversight of the vendor risk process.

Questionnaire

The working tab. Columns include #, Domain, Question, Response, Yes/No/N/A, Risk Flag, Notes / Evidence Required, and Score. Work top to bottom; do not skip evidence prompts—even a "Yes" answer should cite the artifact (policy name, report date, etc.).

Scoring

Auto-calculated summary: Total Possible Score, Score Achieved, Score %, and Risk Rating. Fill Vendor Name, Assessment Date, and Assessor before sharing results with procurement.

Rating bands in the template:

Score % Rating Recommended action
≥ 90% Low Risk Proceed with standard monitoring
75–89% Medium Risk Proceed with enhanced monitoring
50–74% High Risk Remediation plan required before approval
< 50% Critical Risk Do not engage without executive approval

Vendor Summary

Your vendor register. Track Vendor Name, Category, Risk Tier, Assessment Date, Score %, Risk Rating, Next Review, Approved By, and Status (Approved, Under Review, Rejected). Sample rows are included—replace with your production vendor list.

Domain and question reference

The template contains 30 questions across these domains. Use this reference when scoping assessments or briefing procurement on what vendors will be asked.

Governance (3 questions)

# Question Evidence to request
1 Does the vendor have a documented Information Security Policy? Policy name and last review date
2 Is there a designated CISO or security lead? Name and title
3 Does the vendor have a risk management program? Process description and cadence

Access control (4 questions)

# Question Evidence to request
4 Is MFA enforced for all remote access? MFA solution used
5 Are privileged accounts reviewed quarterly? Last review date
6 Is access provisioning tied to a formal onboarding process? Process description
7 Are access rights revoked within 24 hours of termination? Offboarding process

Data security (4 questions)

# Question Evidence to request
8 Is customer data encrypted at rest (AES-256 or equivalent)? Encryption approach
9 Is data encrypted in transit (TLS 1.2+)? TLS version
10 Does the vendor have a data classification policy? Classification tiers
11 Are data retention and deletion procedures documented? Policy document

Vulnerability management (3 questions)

# Question Evidence to request
12 Is there a formal patch management process? SLA for critical patches
13 Are vulnerability scans performed at least quarterly? Last scan date
14 Is penetration testing performed annually? Last pentest date and scope

Incident response (3 questions)

# Question Evidence to request
15 Does the vendor have a documented Incident Response Plan? Copy of IR plan
16 What is the vendor's breach notification timeline? SLA (e.g., 72 hours)
17 Has the vendor experienced a security incident in the last 24 months? Summary if yes

Business continuity (3 questions)

# Question Evidence to request
18 Does the vendor have a Business Continuity Plan? Last test date
19 What is the vendor's target RTO? RTO commitment
20 Are backups tested at least annually? Last restoration test date

Compliance (3 questions)

# Question Evidence to request
21 Does the vendor hold SOC 2 Type II certification? Current SOC 2 report
22 Is the vendor ISO 27001 certified? Certificate
23 Does the vendor comply with applicable data protection regulations? List of regulations

Third-party risk (2 questions)

# Question Evidence to request
24 Does the vendor conduct security reviews of their sub-processors? Process description
25 Are sub-processors disclosed to customers? List of key sub-processors

Physical security (2 questions)

# Question Evidence to request
26 Are data centres certified (e.g., SOC 2, ISO 27001, Tier III+)? Certification details
27 Is physical access to sensitive areas controlled and logged? Access control description

Personnel and security training (3 questions)

# Question Evidence to request
28 Is mandatory security awareness training provided to all staff? Training cadence
29 Is phishing simulation conducted at least annually? Last simulation date
30 Are background checks conducted for staff with data access? Screening process

Scoring methodology

Each question carries a weighted score when answered Yes (full credit), No (zero credit), or N/A (typically excluded from denominator—confirm your program policy). The Scoring tab calculates:

  • Total Possible Score — sum of applicable question weights
  • Score Achieved — sum of earned points
  • Score % — achieved ÷ possible
  • Risk Rating — mapped to Low / Medium / High / Critical bands

How to use scores in decisions:

  • Low (≥ 90%) — Standard contract terms; annual monitoring.
  • Medium (75–89%) — Approve with enhanced monitoring; verify flagged items within 90 days.
  • High (50–74%) — Require remediation plan with owners and due dates before production access.
  • Critical (< 50%) — Escalate to CISO and executive sponsor; do not proceed without documented risk acceptance.

Scores are a decision aid, not a substitute for judgment. A vendor scoring 85% with a failed breach-notification question may still be unacceptable for Tier 1 processing.

Evidence checklist by vendor tier

Minimum evidence to collect alongside the completed questionnaire:

Evidence artifact Tier 1 Tier 2 Tier 3 Tier 4
Completed SIG-lite workbook Optional
SOC 2 Type II (or equivalent) ✅ Current If available Optional
ISO 27001 certificate If claimed If claimed Optional
Pen test executive summary ✅ Annual If available
Sub-processor list If data processed
Signed DPA / BAA If PII
Insurance certificate (cyber) Optional
Remediation tickets for gaps If gaps

Store artifacts in a single vendor folder named {vendor}-{assessment-date} so audit sampling takes minutes, not days.

Pair the questionnaire with a SOC 2 report review

A questionnaire tells you what the vendor claims. A SOC 2 Type II report tells you what an auditor observed over a review period. Use both:

  1. Map domains — Align questionnaire rows to SOC 2 Trust Services Criteria (Security, Availability, Confidentiality, etc.).
  2. Cross-check exceptions — If the vendor answered "Yes" to encryption but the SOC report lists a carve-out, flag the discrepancy.
  3. Verify period — SOC 2 coverage must overlap your contract period; stale reports (>12 months past period end) trigger re-request.
  4. Read the bridge letter — Confirm no material changes since the report period.
  5. Track CUECs — Customer User Entity Controls are your responsibilities; document how you meet them.

See how to review a vendor SOC report for a full walkthrough.

How to use it as audit evidence

What auditors look for Where it lives in the template
Documented vendor assessment process Completed Questionnaire per in-scope vendor
Risk-based tiering and review depth Risk Tier column in Vendor Summary
Scoring methodology and decisions Scoring tab + Status / Approved By columns
Renewal and ongoing monitoring Next Review dates + dated re-assessments
Management oversight Version & Approval sign-off
Exception and remediation handling Risk Flag rows + linked tickets in Notes

Audit tip: Export the Vendor Summary tab as PDF quarterly and attach it to your management review minutes. Auditors commonly sample 3–5 vendors—have files ready for Tier 1 and any vendor with open remediation.

Common mistakes

  • Sending the full SIG to every vendor regardless of data access—burns vendor goodwill and your team's capacity.
  • No tiering before assessment — leads to identical review depth for CDN and payroll processor.
  • Risk Flag cells ignored — gaps logged but never remediated or accepted by leadership.
  • Register not updated when contracts renew, scope expands, or vendors are offboarded.
  • Scores reviewed once with no link to procurement approval or contract signature.
  • Questionnaire-only reviews without reading the SOC 2 report—or vice versa.
  • Stale assessments — file dated 18 months ago presented as current evidence.
  • No named assessor or approver — auditors cannot verify who made the risk decision.
  • Spreadsheet sprawl — duplicate files with no master register; use Vendor Summary as the single source of truth.
  • Conditional approvals without expiry — pilot access becomes production with no follow-up.

How SecureSlate helps

Spreadsheets work for early-stage TPRM. They break down when you have dozens of vendors, multiple frameworks, and enterprise customers requesting the same evidence every quarter.

SecureSlate centralizes vendor inventories, tiering, assessment workflows, and evidence collection so third-party risk stays current between renewals—not just before audit season.

  • Vendor inventory with automatic tier suggestions based on data classification
  • Questionnaire workflows with reminders, status tracking, and approval routing
  • SOC report and evidence storage linked to each vendor record
  • Renewal triggers when reports expire or contracts approach end date
  • Audit-ready exports that connect vendor evidence to SOC 2 CC9.2 and ISO 27001 supplier controls

Get started for free

FAQ

Is SIG-lite enough for enterprise customers?
Often yes for initial screening and Tier 2–3 vendors. Enterprise DDQs may require additional questions, full SIG responses, or pen test summaries for Tier 1 suppliers.

How often should we re-assess vendors?
Many teams review Tier 1 annually, Tier 2 every 12–18 months, and Tier 3–4 every two to three years—or immediately on scope change or security incident.

Who approves vendor risk exceptions?
Typically the CISO or security lead, with legal and procurement for contract terms. Critical-risk vendors (< 50% score) commonly need executive sponsor sign-off.

Can we use this instead of a SOC 2 report?
No. The questionnaire complements attestation reports; it does not replace them for Tier 1 vendors handling customer data.

What if a vendor refuses to complete the questionnaire?
For Tier 1–2 vendors, treat refusal as a red flag per red flag due diligence. For Tier 4, a public trust page plus SOC 3 may suffice with documented approval.

How long should vendors have to respond?
10–15 business days is standard for SIG-lite. Tier 1 engagements may allow 3–4 weeks when coordinating SOC report sharing under NDA.

Should we score N/A responses?
Define policy upfront. Common practice: exclude N/A from the denominator when the question genuinely does not apply (e.g., physical security for a serverless-only vendor).

Does this template cover AI vendors?
The baseline questions apply. For LLM and AI API providers, add questions on training data use, model retention, prompt logging, and sub-processor chains—especially under EU AI Act compliance planning and customer AI governance requirements.

Who owns the vendor register day to day?
Typically security or GRC, with procurement submitting intake and system owners validating business justification.

Can auditors accept Excel evidence?
Yes, when document control, version history, and approver sign-off are complete. PDF exports with evidence attachments strengthen the audit trail.

Disclaimer (legal note)

This article is for general information only and is not legal, regulatory, or professional advice. Requirements vary by framework, industry, and jurisdiction. Consult qualified advisors for your specific obligations.

Need compliance without the complexity?

SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.

No credit card required

Filed under:

Author: SecureSlate Team

4.8(201 reviews)

Keep reading

Jul 7, 2026 · TemplatesISO 27001

ISO 27001 Statement of Applicability Template: Free SoA Excel Download

Jul 5, 2026 · GRC

Acceptable Use Policy: template, requirements, and audit evidence for 2026

Jul 5, 2026 · GRC

AI Governance Policy: template, requirements, and audit evidence for 2026

View more posts
Jamie
Virtual Agent

Hi! I'm Jamie. Curious about your current compliance challenges and how automation might help your team?