Vendor security questionnaire generator
Build a tailored third-party security questionnaire in seconds, then copy it or download it to CSV.
Assessing a new supplier? Generate a right-sized security questionnaire based on how critical the vendor is and which topics apply, then send it as a CSV. A ready-to-use starting point for your third-party due diligence.
Pick the vendor's criticality, choose the topics that apply, then copy or download the questionnaire. Nothing you select leaves your browser.
Your questionnaire
23 questions
1.Security governance & program
- •Do you have a documented information security policy, approved by management?
- •Is a named person or team responsible for information security?
- •Do you perform regular risk assessments of the systems and data involved in this service?
2.Access control & authentication
- •Is multi-factor authentication (MFA) enforced for access to systems that handle our data?
- •Do you apply least-privilege and role-based access control?
- •Are user access rights reviewed periodically and revoked promptly when staff leave or change roles?
3.Data protection & privacy
- •Is our data encrypted both in transit and at rest?
- •Will our data be stored or processed outside our country or region? If so, where?
- •Do you have a data retention and secure deletion policy, and can you delete our data on request?
- •Are you compliant with the privacy laws that apply to our data (e.g. Law 25, GDPR)? Please specify.
4.Infrastructure & network security
- •Are your systems protected by firewalls, endpoint protection and network segmentation?
- •Do you harden systems against a recognized baseline (e.g. CIS Benchmarks)?
5.Application & development security
- •Do you follow secure development practices (code review, SAST/DAST, security testing before release)?
- •Do you maintain a software bill of materials (SBOM) and track vulnerabilities in third-party components?
6.Vulnerability & patch management
- •Do you have a patch management process with defined timelines for critical vulnerabilities?
- •Do you scan for vulnerabilities regularly and prioritize remediation by exploitability (CVSS, EPSS, CISA KEV)?
7.Incident response & breach notification
- •Do you have a documented and tested incident response plan?
- •Will you notify us of a security incident affecting our data, and within what timeframe?
- •Do you log and monitor security events (e.g. SIEM, EDR)?
8.Business continuity & resilience
- •Do you maintain isolated, regularly tested backups of the systems handling our data?
- •Do you have a business continuity and disaster recovery plan with defined RTO/RPO targets?
9.Subcontractors & fourth parties
- •Do you use subcontractors that will access, store or process our data? Please list them.
- •Do you assess the security of your own suppliers (our fourth parties)?
FAQ
What is a vendor security questionnaire?
A vendor (or third-party) security questionnaire is a set of questions you send to a supplier to evaluate how they protect the data and systems they will access. It is a core step of third-party risk management and vendor due diligence.
How should I choose the criticality level?
Match it to the vendor's risk: Essential for low-risk suppliers, Standard for vendors that handle your data or connect to your systems, and In-depth for critical vendors that are a core dependency or process sensitive data. Higher levels add deeper questions.
What do I do with the CSV?
The CSV has a Response and an Evidence column left blank, so you can send it to the vendor to complete, or import it into your GRC or spreadsheet tool to track answers and evidence.
Does anything I select get sent anywhere?
No. The generator runs entirely in your browser. Your selections and the questionnaire never leave your device, and nothing is stored.
Isn't a questionnaire a point-in-time snapshot?
Yes, and that is its limit. A questionnaire is self-reported and quickly dated. The FortaRisks TPRM module complements it with continuous, evidence-based monitoring of your vendors' external posture, so you catch risks a questionnaire misses.
Go further
- How to build a third-party risk management program
- 11 third-party vulnerabilities invisible to questionnaires
- TPRM: what third-party risk management means
Go beyond the questionnaire
A questionnaire is a one-time, self-reported snapshot. The FortaRisks TPRM module scores and continuously monitors your vendors' real security posture, so you see the risks a questionnaire cannot.
This questionnaire is a starting template provided for guidance only. Adapt it to your context; it does not constitute legal or contractual advice.