All templates

Vendor Security and Risk Assessment Questionnaire

Assesses a vendor's security controls, certifications, data handling, and incident history for procurement, security, and compliance teams running third-party risk reviews. An AI follow-up interview digs into the vendor's single most significant unresolved risk instead of accepting a checklist of certifications at face value.

Sample questions

A preview of what’s in the template. Every question is editable before you launch.

13 questions · ~7 min
Q01
Message

Thanks for completing this security assessment on behalf of your organization. It covers certifications, data handling, access controls, and incident history, and takes about 8 minutes. Please answer as accurately as possible — vague answers slow down the review.

Q02
Multiple ChoiceRequired

Which of the following security certifications or attestations does your organization currently hold?

  • SOC 2 Type II
  • ISO 27001
  • PCI DSS
  • HIPAA compliance
  • FedRAMP
  • GDPR compliance program
  • None of the above
Q03
Multiple ChoiceRequired

How is data belonging to your customers encrypted?

  • Encrypted at rest and in transit
  • Encrypted in transit only
  • Encrypted at rest only
  • Not encrypted
  • Not sure
Q04
MatrixRequired

For each control below, indicate its current implementation status at your organization.

5 rows × 5 columns
  • Multi-factor authentication enforced for employee system access
  • Regular third-party penetration testing
  • Formal, tested incident response plan
  • Mandatory employee security awareness training
  • Documented data retention and deletion policy
Columns: Fully implemented · Partially implemented · Planned within 12 months · Not implemented · Not sure
Q05
Multiple ChoiceRequired

In the last 24 months, has your organization experienced a security incident affecting customer data?

  • Yes — disclosed to affected customers
  • Yes — handled internally, no disclosure required
  • No incidents
  • Not sure / unable to disclose
Q06
Multiple ChoiceRequired

Do you use subcontractors or subprocessors who would have access to our data?

  • Yes, and we maintain an up-to-date list we can share
  • Yes, but we don't proactively share a list
  • No subprocessors are used
  • Not sure
Q07
Opinion ScaleRequired

How confident are you that your current security program meets the requirements expected of vendors in regulated industries?

Scale: 17
Min:Not confident at allMax:Extremely confident
Q08
Best–Worst Trade-off (MaxDiff)Required

Which of these security investments is your organization prioritizing most over the next 12 months, and which least?

  • Zero trust network architecture
  • Third-party and vendor risk management tooling
  • Data loss prevention
  • Security awareness training
  • Incident response automation
  • Cloud security posture management
  • Encryption key management
Pick best & worst per setBest:Highest priorityWorst:Lowest priority
Q09
AI Interview

Identify the single most significant unresolved security or compliance risk this vendor is carrying right now — not the strongest area, the weakest one. If they reported an incident, get specifics on what happened, what changed afterward, and whether the fix was verified or just promised. If they claimed 'not sure' or 'not implemented' on any control, probe why and what would need to happen for it to close. Push past reassurance ('we take security seriously') to concrete evidence.

Q10
Long Text

Are there any planned improvements to your security program in the next 12 months we should know about (e.g., new certifications, tooling, staffing)?

Q11
Multiple Choice

What is your role in relation to this vendor's security or compliance program?

  • Security / InfoSec lead
  • Compliance or legal
  • Engineering or IT leadership
  • Executive / founder
  • Sales or account management
  • Other
  • Prefer not to say
Q12
Multiple Choice

How many employees does your organization have?

  • 1-50
  • 51-250
  • 251-1,000
  • 1,001-5,000
  • More than 5,000
  • Prefer not to say
Q13
Message

Thank you for completing this assessment. Your responses will be reviewed by our security and procurement team as part of our vendor risk evaluation, and we may follow up with clarifying questions before finalizing our decision.

What’s included

  • AI follow-ups

    Adaptive probes on open-ended answers that pull out detail a static form would miss.

  • Attention checks

    Built-in safeguards against rushed answers and low-quality respondents.

  • AI-drafted copy

    Wording, ordering, and branching written by the AI — tuned to your research goal.

  • Auto report

    Themes, quotes, and a plain-English summary write themselves once responses come in.

How it compares

We reviewed the closest templates from other survey tools. Here’s what they do well — and where this template goes further.

Why this template

  • Instead of taking a vendor's checklist of certifications at face value, an AI follow-up interview probes the single most significant unresolved security or compliance risk in depth.
  • Combines structured data collection (certifications, encryption practices, a control-implementation matrix, incident history, subprocessor disclosure) with a MaxDiff on investment priorities and a confidence rating, giving procurement and security teams both breadth and depth.
  • Automated per-response quality scoring and an auto-generated report mean reviewers get a synthesized risk summary instead of a raw spreadsheet of answers to manually triage.
  • Transparent prompts let security and compliance teams see and audit exactly how the AI is probing vendors, supporting internal review and audit-trail requirements.

QuestionPro

Vendor Security and Assessment Sample Questionnaire Template

A directly comparable, ready-to-field vendor security questionnaire template covering certifications, controls, and data handling. It's a static question set aimed at the same procurement/security use case as ours, but relies entirely on pre-written questions with no mechanism to dig deeper on any single vendor response.

What it does well

  • Purpose-built for vendor security assessment, not a generic security form
  • Backed by QuestionPro's established survey logic and reporting tools
  • Likely customizable within their broader survey platform

Where it falls short

  • No adaptive follow-up questioning — every vendor answers the same fixed checklist regardless of risk level
  • No indication of automated per-response risk scoring or a synthesized risk report
  • No published methodology for how or why any given question was included

SurveySparrow

Vendor Security Assessment Questionnaire Template

A fielding-ready vendor security assessment template aimed at the same audience as ours. It uses SurveySparrow's conversational chat-style survey format, which improves completion experience but is still a fixed question flow rather than a genuine investigative interview.

What it does well

  • Conversational, chat-like UI that may improve vendor response rates
  • Directly targeted at vendor security/risk assessment use case
  • Likely mobile-friendly given SurveySparrow's product focus

Where it falls short

  • Conversational styling is not the same as adaptive AI reasoning — questions and branching are pre-set, not generated from the vendor's actual answers
  • No mention of automated risk scoring or an auto-generated compliance report
  • No voice-based interview option for vendors who prefer speaking to typing

Jotform

Cyber Security Risk Assessment Questionnaire Form Template

A general cyber security risk assessment form rather than a template specifically framed around evaluating a third-party vendor for procurement purposes; it's still close enough in subject matter to be a relevant comparison. It's a static form-builder template that vendors or organizations fill out once, with no interview-style follow-up.

What it does well

  • Easy to build and deploy quickly using Jotform's drag-and-drop form builder
  • Broad applicability across general cyber security risk scenarios
  • Can integrate with Jotform's wider forms/e-signature ecosystem

Where it falls short

  • Framed as general cyber security risk assessment, not vendor-specific procurement review — teams would need to adapt it themselves
  • Purely a static form: no adaptive AI probing of unresolved risks and no automated scoring of response quality
  • No structured mechanism (like a control-implementation matrix or investment prioritization ranking) built specifically for vendor risk comparison

Ready to launch?

Open this template in the editor. Every part is yours to change before the first respondent sees it.