3 tiers
of vendor risk: Tier 1 (regulated data or privileged access -- full SIG or equivalent), Tier 2 (business-critical non-sensitive access -- 30-question abbreviated), Tier 3 (no data access, commodity services -- security ratings monitoring only)
30 questions
is the target for a Tier 2 abbreviated questionnaire -- enough to cover the eight control domains that predict breach risk (access control, patch management, incident response, encryption, MFA, logging, backup, and subprocessor management)
evidence correlation
catches 25 to 40% of questionnaire responses that conflict with external scan data -- vendors who claim to have no publicly exposed RDP are found via Shodan with RDP open on their infrastructure
annual assessment
is the wrong cadence for Tier 1 vendors -- continuous monitoring for certificate expiry, security rating changes, breach intelligence, and external exposure changes provides between-assessment risk signals that annual snapshots miss entirely

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Annual vendor questionnaires fail at the function they are supposed to serve. A questionnaire completed in January reflects the vendor's security posture in January. By the time the next assessment cycle runs, the vendor may have changed cloud providers, hired a new CISO, suffered a breach, or left port 3389 open to the internet for six months. The questionnaire captured none of it.

The problem is not the questionnaire itself -- it is the model. Point-in-time assessment of dynamic risk produces point-in-time data. The investment in sending, following up on, and reviewing a 300-question SIG is wasted when the result is a one-year-old snapshot filed in a GRC platform that nobody checks between assessment cycles.

The vendor risk program that produces usable risk data has three characteristics the annual questionnaire model lacks: it calibrates depth to risk (Tier 1 vendors get the full assessment; Tier 3 commodity vendors get automated monitoring only), it correlates questionnaire responses against external evidence (a vendor who claims no exposed RDP should not show up on Shodan with open port 3389), and it monitors continuously so that changes between assessment cycles are visible.

This guide covers how to build the inherent risk classification, what 30 questions cover the control domains that predict breach risk for a Tier 2 abbreviated assessment, how to automate scoring and follow-up, how to correlate questionnaire responses with external data, and how to set up continuous monitoring that replaces the annual re-assessment for lower-risk vendors.

Inherent Risk Classification: What Triggers Full vs. Abbreviated Assessment

Inherent risk classification determines how much assessment effort a vendor receives before you accept the risk of working with them. Classification happens before any questionnaire is sent.

Tier 1: Full assessment required. Vendors who process regulated data (PII, PHI, financial records, cardholder data), have privileged access to your systems (identity providers, endpoint management, network infrastructure), or provide critical business services where a breach would create legal exposure or material business impact. Full SIG questionnaire (or CAIQ for cloud providers), SOC 2 Type II review, evidence collection, and annual re-assessment. Examples: HR system, ERP, cloud identity provider, network security vendors with system access.

Tier 2: Abbreviated assessment. Vendors with business-critical access but not regulated data -- they can impact operations but not create regulatory liability. 30-question abbreviated questionnaire scored automatically, annual re-assessment with delta review (only the changed answers require review), and automated monitoring between cycles. Examples: project management tools with internal project data, communication platforms without regulated data, SaaS analytics tools.

Tier 3: Monitoring only. Vendors with no access to your data or systems -- commodity services, marketing platforms, conference registration tools. No questionnaire. Automated monitoring for breach intelligence and security rating changes. If a Tier 3 vendor's security rating drops significantly or they appear in breach intelligence, re-classify to Tier 2 and initiate assessment. Examples: website analytics, conference management, social media scheduling.

Classification criteria checklist (answer yes/no for each vendor):

  • Does the vendor process, transmit, or store regulated data (PII, PHI, PCI)?
  • Does the vendor have privileged access to your production systems?
  • Would a vendor breach require regulatory notification?
  • Would a vendor outage materially impact revenue or operations?
  • Does the vendor access systems that themselves process regulated data?

Two or more "yes" answers = Tier 1. One "yes" = Tier 2. Zero = Tier 3.

Question Bank Design: Thirty Questions That Cover What Matters

A 300-question SIG applied to a Tier 2 vendor produces two problems: low completion rates (vendors de-prioritize questionnaires that look like a multi-day project) and high review burden (reviewing 300 answers per vendor across dozens of vendors is not a function a small GRC team can sustain).

The 30-question abbreviated questionnaire covers the eight control domains that evidence predicts vendor breach likelihood. These are not the eight domains the SIG covers -- they are the eight that researchers have correlated with breach frequency in third-party risk data.

1. Access control and MFA (5 questions): Is MFA enforced for all privileged access? For all remote access? For all access to systems that process your data? Is access reviewed quarterly? Is offboarding completed within 24 hours of termination?

2. Patch management (4 questions): What is the SLA for critical vulnerability remediation? Is patching automated? How are end-of-life systems handled? When was the last external vulnerability scan?

3. Incident response (4 questions): Is there a documented IR plan? Has it been tested in the past 12 months? What is the notification SLA for breaches affecting your data? Who is the point of contact for incident notification?

4. Encryption (3 questions): Is data encrypted at rest? In transit? What encryption standards are used (TLS version, algorithm)?

5. Logging and monitoring (4 questions): Are access logs retained for 90 days or more? Is there 24/7 security monitoring? Are privileged access logs reviewed?

6. Backup and recovery (3 questions): Is data backed up daily? Are backups tested quarterly? What is the RTO for critical systems?

7. Subprocessor management (3 questions): Does the vendor use subprocessors who access your data? Are subprocessors assessed? Is there notification when subprocessors change?

8. Physical security (4 questions): Are data centers SOC 2 certified? Is access to systems processing your data physically restricted? Is equipment sanitized before disposal?

Format each question as a multiple-choice answer (Yes / No / Partially / Not Applicable) with an optional text field for evidence. Multiple-choice enables automated scoring; text fields capture evidence pointers for manual review.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Automated Intake and Scoring

Automated intake and scoring removes the manual review burden for the majority of vendor questionnaires and focuses human review on the vendors with elevated scores.

Intake automation. Use a form tool (Typeform, Google Forms, or your GRC platform's questionnaire module) to send questionnaires via email with a unique vendor link. Configure automatic reminders at 7, 14, and 21 days post-send. Escalate to the vendor relationship owner at 30 days without response. Track completion status in the GRC platform.

Scoring model. Assign point values to each question based on the control domain's weight in breach prediction:

  • Critical question (missing control directly enables breach): 10 points
  • High question (missing control significantly increases breach risk): 7 points
  • Medium question (missing control creates risk but mitigated by other controls): 4 points
  • Low question (missing control is informational): 1 point

A "No" answer to a critical question (MFA for privileged access) scores 10 risk points. A "Yes" scores 0. Total score across all 30 questions produces a numeric risk score. Establish thresholds: 0-20 = Pass (proceed with contract), 21-40 = Conditional Pass (compensating controls required), 41+ = Fail (remediation plan required before contract execution).

Automated routing. Configure the GRC platform to route questionnaire results automatically: Pass = auto-approve and archive, Conditional Pass = route to GRC analyst for compensating control review, Fail = route to CISO and vendor relationship owner with remediation requirement.

Evidence tracking. For each question where the vendor answers "Yes," link to the supporting evidence (SOC 2 report reference, policy document, certification). Track evidence expiry dates and trigger re-collection when evidence is more than 12 months old.

Evidence Correlation: Questionnaire vs. External Scan Results

Questionnaire responses are self-reported. Cross-referencing responses against external data sources validates whether what vendors claim matches what is externally observable.

Security ratings correlation. Before sending a questionnaire, pull the vendor's current security rating from a ratings provider. Compare the rating against the questionnaire score after responses are received. If a vendor scores well on the questionnaire but has a poor external rating, request explanation for the discrepancy. Common causes: the rating covers infrastructure the vendor did not include in the questionnaire scope, or the questionnaire answers are optimistic.

Shodan and external exposure correlation. For Tier 1 vendors, run a Shodan search on the vendor's AS numbers and IP ranges. If a vendor claims no publicly exposed management interfaces (RDP, SSH, Telnet, database ports) but Shodan shows open management ports on their infrastructure, flag the discrepancy and add it to the follow-up questionnaire. This is not adversarial -- it is due diligence. Vendors with genuinely good security will have explanations (the open port is a honeypot, is in a DMZ with no data access, or the IP is no longer in use). Vendors with poor security will not.

Certificate monitoring. Vendors who claim to use TLS for all data in transit should have valid, non-expired certificates on all public endpoints. Monitor the vendor's primary domain certificate and certificate transparency logs for unexpected certificate changes (which can indicate domain takeover or certificate issuance by unauthorized parties).

Breach intelligence correlation. Before approving a vendor or renewing a contract, check breach intelligence feeds for the vendor's domain and known subsidiaries. A vendor who did not disclose a historical breach in their questionnaire -- but appears in HaveIBeenPwned or dark web datasets -- is a red flag for both the security posture and the completeness of their self-reporting.

SLA-Based Follow-Up and Escalation Workflow

Automated follow-up removes the most time-consuming manual work in vendor questionnaire programs: chasing vendors who have not responded.

Follow-up cadence configuration. Set the following automated touchpoints in the GRC platform or workflow tool:

  • Day 0: Questionnaire sent to vendor security contact
  • Day 7: Automated reminder if no response
  • Day 14: Automated reminder with urgency language and contract reference
  • Day 21: Escalate to vendor relationship owner (sales, procurement, or partnership contact) with request to facilitate completion
  • Day 30: Trigger GRC team review -- determine whether the relationship can proceed without questionnaire completion or whether the contract must be paused

Remediation plan tracking. When a vendor scores in the Conditional Pass or Fail range, require a written remediation plan with specific control improvements and target dates. Track remediation plan items in the GRC platform and schedule a checkpoint questionnaire at 90 days to verify remediation progress. Contracts with vendors in the Fail range should include a specific security improvement clause with the remediation plan items as deliverables.

Exception process. When business requirements require proceeding with a vendor before remediation is complete, document the exception formally: the specific finding being excepted, the business justification, the compensating controls being applied, the risk owner who accepts the residual risk, and the expiration date when the exception will be re-evaluated. Exceptions without expiration dates accumulate into permanent risk deferrals.

Continuous Monitoring as a Replacement for Annual Re-Assessment

For Tier 2 vendors, continuous monitoring with automated alerting can replace the full annual questionnaire re-assessment for vendors whose risk profile has not changed.

What continuous monitoring covers:

  • Security rating changes: alert if the vendor's rating drops more than 10 points quarter-over-quarter
  • Breach intelligence: alert when the vendor's domain appears in breach datasets or dark web listings
  • Certificate expiry: alert when a vendor's primary domain certificate will expire in less than 30 days
  • Public exposure changes: alert when Shodan adds new open ports on the vendor's IP space
  • Subprocessor changes: alert when the vendor publishes subprocessor list changes (if they maintain a public subprocessor page)

Annual review trigger. The annual re-assessment is triggered by monitoring alerts or by the calendar -- whichever comes first. If continuous monitoring has generated no alerts during the year and the vendor's risk score is unchanged, the annual re-assessment can be abbreviated to a delta review: confirm that the vendor's questionnaire responses still apply, confirm evidence is still valid, and review any monitoring alerts from the year. Full re-assessment is required when monitoring generates a significant alert.

Right-to-audit clause. Contracts with Tier 1 vendors should include a right-to-audit clause that enables on-site or remote technical assessment when monitoring signals justify it. This is not used routinely, but its presence in the contract enables direct verification when questionnaire responses or monitoring data raise concerns that cannot be resolved through documentation review alone.

The bottom line

Third-party vendor risk questionnaire programs that produce usable data have three characteristics that annual manual questionnaire programs lack: inherent risk classification that matches assessment depth to actual risk (full SIG for regulated data vendors, 30-question abbreviated for business-critical vendors, monitoring only for commodity services), automated scoring that routes human review to the vendors with elevated risk scores rather than requiring manual review of every response, and continuous monitoring between assessment cycles that surfaces security rating changes, breach intelligence, and exposure changes before the next annual snapshot. Evidence correlation -- cross-referencing questionnaire responses against Shodan, security ratings, and breach intelligence -- validates self-reported data and surfaces the 25 to 40% of responses that conflict with external evidence.

Frequently asked questions

What is the difference between a SIG and a CAIQ?

The SIG (Standardized Information Gathering questionnaire) from Shared Assessments covers 850+ controls across 18 domains and is used for comprehensive third-party risk assessment of vendors handling sensitive data. The CAIQ (Consensus Assessments Initiative Questionnaire) from the Cloud Security Alliance focuses specifically on cloud service providers and covers the Cloud Controls Matrix domains. The SIG is broader and more appropriate for non-cloud vendors; the CAIQ is more targeted for SaaS and cloud service providers. Both are too long for Tier 2 vendor assessments -- an abbreviated version of either covering the eight critical domains is more practical for most programs.

How many vendors should a GRC team be able to manage with an automated questionnaire program?

A GRC team of two can manage a vendor portfolio of 200-300 vendors with an automated program: approximately 20-30 Tier 1 vendors requiring full assessment and 150-200 Tier 2 vendors using abbreviated automated assessments. Without automation, a team of two can typically manage complete manual assessments for 30-40 vendors per year. The limiting factor shifts from assessment volume to exception management and follow-up for conditional pass and fail results.

What should a vendor questionnaire actually ask about subprocessors?

Three things: whether the vendor uses subprocessors who process your data, how subprocessors are assessed (are they subject to the same security requirements as the vendor), and how you will be notified when subprocessors change. Many vendor data breaches originate at subprocessors, not the primary vendor -- a vendor with strong security who uses a subprocessor without equivalent controls is a risk that the primary vendor questionnaire does not capture without explicit subprocessor questions.

When should a vendor questionnaire be reviewed by legal?

Legal review of questionnaire responses is appropriate when: a vendor discloses a historical breach (assess notification obligation and contract implications), a vendor's responses conflict significantly with external data (potential misrepresentation with contract implications), questionnaire findings require contract amendments (adding security requirements as deliverables), or the vendor operates in a jurisdiction with materially different data protection laws that affect how you can use their services.

How do security ratings services factor into vendor risk programs?

Security ratings (from providers like Bitsight, SecurityScorecard, or UpGuard) provide external assessment of a vendor's security posture based on observable signals -- open ports, leaked credentials, web application findings, patching cadence, and email security configuration. They are useful for continuous monitoring and as a preliminary screen before sending a questionnaire, but they measure what is externally observable, which is a subset of a vendor's security posture. A vendor with a high security rating can still have poor internal security practices for access control, incident response, and data handling that ratings do not assess.

What is a right-to-audit clause and when should it be used?

A right-to-audit clause in a vendor contract gives your organization the right to conduct or commission a security assessment of the vendor -- through documentation review, questionnaire, or on-site technical audit -- at your request, at a defined frequency, or when triggered by a security concern. It is most appropriate for Tier 1 vendors handling regulated data. In practice, the clause is rarely invoked but creates leverage when vendor self-reporting raises concerns that cannot be resolved through questionnaire responses alone. Many vendors will counter with sharing SOC 2 reports in lieu of direct audit -- the contract should specify whether SOC 2 in lieu of audit is acceptable or whether direct assessment is required.

Sources & references

  1. Cloud Security Alliance: Consensus Assessments Initiative Questionnaire (CAIQ)
  2. Shared Assessments: Standardized Information Gathering (SIG) Questionnaire
  3. NIST: Cybersecurity Supply Chain Risk Management (C-SCRM)
  4. CISA: Third-Party Vendor Risk Management Guidance

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.