Vendor Cybersecurity Questionnaire
Know the cyber risk your vendors are carrying — before it becomes yours.
A single compromised supplier can expose your entire organization. NIS2, DORA, and ISO 27001 all require formal third-party risk management — but most organizations don't know where to start. This free questionnaire gives you a structured, professional way to assess any vendor's cybersecurity posture in minutes.
What you'll get
- →A vendor risk rating: Low / Medium / High / Critical
- →A breakdown of gaps by security domain
- →A recommended action for each risk level
How to use this questionnaire
Assess a vendor
Answer each question based on what you know about the vendor. Get an instant risk rating when you complete all 20 questions.
Send to a vendor
Share this page URL with the vendor and ask them to complete it. Use their answers and the scoring guide below to rate their responses.
Section 1: Security Policy & Governance
Q1.Does your organization have a documented information security policy?
Q2.Do you have a named individual responsible for cybersecurity (e.g. CISO, Head of Security)?
Q3.Has your organization achieved any cybersecurity certifications in the last 2 years?(Select all that apply)
Section 2: Data Handling & Privacy
Q4.What categories of data does your organization process on our behalf?(Select all that apply)
Q5.Is data encrypted at rest and in transit?
Q6.Where is our data stored and processed?
Section 3: Access Controls
Q7.Do you enforce multi-factor authentication for systems that access or process our data?
Q8.Do you apply the principle of least privilege — limiting access to only what each role requires?
Q9.Do you conduct background checks on employees with access to our data or systems?
Section 4: Incident Response
Q10.Do you have a documented incident response plan?
Q11.Would you notify us of a security incident affecting our data, and if so within what timeframe?
Q12.Have you experienced a security breach or incident in the last 3 years?
Section 5: Vulnerability & Patch Management
Q13.Do you have a formal patch management process?
Q14.Do you conduct regular vulnerability scanning or penetration testing?
Section 6: Business Continuity
Q15.Do you have a tested business continuity and disaster recovery plan?
Q16.What is your Recovery Time Objective (RTO) for critical systems?
Section 7: Third-Party & Supply Chain
Q17.Do you assess the cybersecurity posture of your own sub-processors or key suppliers?
Q18.Do you have a list of all sub-processors or third parties who may access our data?
Section 8: Compliance & Legal
Q19.Are you subject to any regulatory requirements relevant to cybersecurity or data protection?(Select all that apply)
Q20.Would you consent to a cybersecurity audit or assessment by our team or an agreed third party?
Vendor Risk Rating Guide
Low Risk
This vendor demonstrates strong security controls.
Responses indicate mature security practices across most domains. Standard contractual protections and annual review are appropriate. No immediate action required.
Medium Risk
This vendor has gaps that should be addressed before or during onboarding.
Some controls are in place but there are inconsistencies across key areas — particularly access control, incident response, or third-party management. Consider requesting a remediation plan or independent certification before extending data access.
High Risk
This vendor presents meaningful cybersecurity risk that requires remediation.
Multiple gaps across critical security domains. If this vendor is essential, require a formal remediation plan with timelines before proceeding. Consider contractual security obligations and audit rights.
Critical Risk
Do not proceed without significant remediation.
Fundamental security controls are missing. Engaging this vendor without remediation creates direct regulatory and operational exposure for your organization. Escalate to senior management before proceeding.
Need help managing vendor risk at scale?
Atumcell's supply chain security assessments give you consistent, auditable visibility across all your critical vendors — aligned with NIS2, ISO 27001, and DORA requirements.
Frequently asked questions
What is a vendor cybersecurity questionnaire?
A vendor cybersecurity questionnaire is a structured set of questions sent to suppliers, partners, or service providers to assess their cybersecurity posture. It covers areas such as security policy, access controls, incident response, data handling, and compliance. The responses allow you to rate the vendor's risk level before sharing data or granting system access.
Why do NIS2, DORA, and ISO 27001 require vendor risk assessments?
NIS2, DORA, and ISO 27001 all require organizations to manage cybersecurity risks in their supply chain. A compromised vendor can provide attackers with a direct path into your organization. Regulators expect formal, documented vendor assessments — not informal reviews — and may request evidence of your third-party risk management process during audits.
How do I score a vendor cybersecurity questionnaire?
Score each question based on the vendor's responses: A answers indicate mature controls (low risk), B answers indicate partial controls (medium risk), C or D answers indicate missing or weak controls (high or critical risk). Calculate an overall risk rating by weighting answers in critical domains — access control, incident response, and data handling — more heavily than others.
What should I do if a vendor scores High or Critical Risk?
If a vendor scores High Risk, require a formal remediation plan with timelines before proceeding. Include contractual security obligations and audit rights. If a vendor scores Critical Risk, do not proceed without significant remediation. Escalate to senior management and consider alternative vendors. Document your decision either way for audit purposes.