Vendor Security and Risk Assessment Questionnaire
Assesses a vendor's security controls, certifications, data handling, and incident history for procurement, security, and compliance teams running third-party risk reviews. An AI follow-up interview digs into the vendor's single most significant unresolved risk instead of accepting a checklist of certifications at face value.
Sample questions
A preview of what’s in the template. Every question is editable before you launch.
Which of the following security certifications or attestations does your organization currently hold?
- SOC 2 Type II
- ISO 27001
- PCI DSS
- HIPAA compliance
- FedRAMP
- GDPR compliance program
- None of the above
How is data belonging to your customers encrypted?
- Encrypted at rest and in transit
- Encrypted in transit only
- Encrypted at rest only
- Not encrypted
- Not sure
For each control below, indicate its current implementation status at your organization.
- Multi-factor authentication enforced for employee system access
- Regular third-party penetration testing
- Formal, tested incident response plan
- Mandatory employee security awareness training
- Documented data retention and deletion policy
In the last 24 months, has your organization experienced a security incident affecting customer data?
- Yes — disclosed to affected customers
- Yes — handled internally, no disclosure required
- No incidents
- Not sure / unable to disclose
Do you use subcontractors or subprocessors who would have access to our data?
- Yes, and we maintain an up-to-date list we can share
- Yes, but we don't proactively share a list
- No subprocessors are used
- Not sure
How confident are you that your current security program meets the requirements expected of vendors in regulated industries?
Which of these security investments is your organization prioritizing most over the next 12 months, and which least?
- Zero trust network architecture
- Third-party and vendor risk management tooling
- Data loss prevention
- Security awareness training
- Incident response automation
- Cloud security posture management
- Encryption key management
Identify the single most significant unresolved security or compliance risk this vendor is carrying right now — not the strongest area, the weakest one. If they reported an incident, get specifics on what happened, what changed afterward, and whether the fix was verified or just promised. If they claimed 'not sure' or 'not implemented' on any control, probe why and what would need to happen for it to close. Push past reassurance ('we take security seriously') to concrete evidence.
Are there any planned improvements to your security program in the next 12 months we should know about (e.g., new certifications, tooling, staffing)?
What is your role in relation to this vendor's security or compliance program?
- Security / InfoSec lead
- Compliance or legal
- Engineering or IT leadership
- Executive / founder
- Sales or account management
- Other
- Prefer not to say
How many employees does your organization have?
- 1-50
- 51-250
- 251-1,000
- 1,001-5,000
- More than 5,000
- Prefer not to say
Thank you for completing this assessment. Your responses will be reviewed by our security and procurement team as part of our vendor risk evaluation, and we may follow up with clarifying questions before finalizing our decision.
What’s included
AI follow-ups
Adaptive probes on open-ended answers that pull out detail a static form would miss.
Attention checks
Built-in safeguards against rushed answers and low-quality respondents.
AI-drafted copy
Wording, ordering, and branching written by the AI — tuned to your research goal.
Auto report
Themes, quotes, and a plain-English summary write themselves once responses come in.
How it compares
We reviewed the closest templates from other survey tools. Here’s what they do well — and where this template goes further.
Why this template
- Instead of taking a vendor's checklist of certifications at face value, an AI follow-up interview probes the single most significant unresolved security or compliance risk in depth.
- Combines structured data collection (certifications, encryption practices, a control-implementation matrix, incident history, subprocessor disclosure) with a MaxDiff on investment priorities and a confidence rating, giving procurement and security teams both breadth and depth.
- Automated per-response quality scoring and an auto-generated report mean reviewers get a synthesized risk summary instead of a raw spreadsheet of answers to manually triage.
- Transparent prompts let security and compliance teams see and audit exactly how the AI is probing vendors, supporting internal review and audit-trail requirements.
QuestionPro
Vendor Security and Assessment Sample Questionnaire TemplateA directly comparable, ready-to-field vendor security questionnaire template covering certifications, controls, and data handling. It's a static question set aimed at the same procurement/security use case as ours, but relies entirely on pre-written questions with no mechanism to dig deeper on any single vendor response.
What it does well
- Purpose-built for vendor security assessment, not a generic security form
- Backed by QuestionPro's established survey logic and reporting tools
- Likely customizable within their broader survey platform
Where it falls short
- No adaptive follow-up questioning — every vendor answers the same fixed checklist regardless of risk level
- No indication of automated per-response risk scoring or a synthesized risk report
- No published methodology for how or why any given question was included
SurveySparrow
Vendor Security Assessment Questionnaire TemplateA fielding-ready vendor security assessment template aimed at the same audience as ours. It uses SurveySparrow's conversational chat-style survey format, which improves completion experience but is still a fixed question flow rather than a genuine investigative interview.
What it does well
- Conversational, chat-like UI that may improve vendor response rates
- Directly targeted at vendor security/risk assessment use case
- Likely mobile-friendly given SurveySparrow's product focus
Where it falls short
- Conversational styling is not the same as adaptive AI reasoning — questions and branching are pre-set, not generated from the vendor's actual answers
- No mention of automated risk scoring or an auto-generated compliance report
- No voice-based interview option for vendors who prefer speaking to typing
Jotform
Cyber Security Risk Assessment Questionnaire Form TemplateA general cyber security risk assessment form rather than a template specifically framed around evaluating a third-party vendor for procurement purposes; it's still close enough in subject matter to be a relevant comparison. It's a static form-builder template that vendors or organizations fill out once, with no interview-style follow-up.
What it does well
- Easy to build and deploy quickly using Jotform's drag-and-drop form builder
- Broad applicability across general cyber security risk scenarios
- Can integrate with Jotform's wider forms/e-signature ecosystem
Where it falls short
- Framed as general cyber security risk assessment, not vendor-specific procurement review — teams would need to adapt it themselves
- Purely a static form: no adaptive AI probing of unresolved risks and no automated scoring of response quality
- No structured mechanism (like a control-implementation matrix or investment prioritization ranking) built specifically for vendor risk comparison
Ready to launch?
Open this template in the editor. Every part is yours to change before the first respondent sees it.