Third-Party Risk Assessment Questionnaire Template
This Third-Party Risk Assessment Questionnaire is designed to help organizations evaluate the risks associated with vendors, suppliers, and service providers. All sections should be completed by the vendor and reviewed by the organization’s risk management team.
-
Company Name: _______________________________
-
Address: _______________________________
-
Contact Person: _______________________________
-
Email: _______________________________
-
Phone: _______________________________
-
Service Provided: _______________________________
Company Name: _______________________________
Address: _______________________________
Contact Person: _______________________________
Email: _______________________________
Phone: _______________________________
Service Provided: _______________________________
2. Company Overview and Governance
-
Year established: ___________________________
-
Number of employees: _______________________
-
Describe your company’s governance structure and key executives.
-
Do you have a dedicated compliance officer or team? Yes / No
Year established: ___________________________
Number of employees: _______________________
Describe your company’s governance structure and key executives.
Do you have a dedicated compliance officer or team? Yes / No
3. Cybersecurity Practices
-
Do you have a documented information security policy? Yes / No
-
Are your systems regularly tested for vulnerabilities? Yes / No
-
Do you conduct employee cybersecurity training? Yes / No
-
Do you use multi-factor authentication for system access? Yes / No
-
List any cybersecurity certifications (e.g., ISO 27001, SOC 2): _______________________________
Do you have a documented information security policy? Yes / No
Are your systems regularly tested for vulnerabilities? Yes / No
Do you conduct employee cybersecurity training? Yes / No
Do you use multi-factor authentication for system access? Yes / No
List any cybersecurity certifications (e.g., ISO 27001, SOC 2): _______________________________
4. Data Protection and Privacy
-
Do you comply with data protection regulations such as GDPR or HIPAA? Yes / No
-
Describe your data encryption practices for data at rest and in transit.
-
Do you have a process for securely disposing of sensitive data? Yes / No
-
How do you handle data breach notifications?
Do you comply with data protection regulations such as GDPR or HIPAA? Yes / No
Describe your data encryption practices for data at rest and in transit.
Do you have a process for securely disposing of sensitive data? Yes / No
How do you handle data breach notifications?
5. Compliance and Legal
-
List any regulatory frameworks your organization complies with.
-
Have you faced any regulatory fines or legal actions in the past 5 years? Yes / No
-
Do you maintain records of compliance audits? Yes / No
List any regulatory frameworks your organization complies with.
Have you faced any regulatory fines or legal actions in the past 5 years? Yes / No
Do you maintain records of compliance audits? Yes / No
6. Business Continuity and Disaster Recovery
-
Do you have a documented business continuity plan (BCP)? Yes / No
-
How often do you test your BCP and disaster recovery plan?
-
What is your average recovery time objective (RTO)?
-
Provide a brief description of backup and redundancy systems.
Do you have a documented business continuity plan (BCP)? Yes / No
How often do you test your BCP and disaster recovery plan?
What is your average recovery time objective (RTO)?
Provide a brief description of backup and redundancy systems.
7. Financial Stability
-
Provide a copy of your most recent financial statement.
-
Are there any current or pending bankruptcy proceedings? Yes / No
-
List any insurance policies relevant to risk coverage: _______________________________
Provide a copy of your most recent financial statement.
Are there any current or pending bankruptcy proceedings? Yes / No
List any insurance policies relevant to risk coverage: _______________________________
8. Subcontractor Management
-
Do you use subcontractors to deliver services? Yes / No
-
If yes, describe your process for vetting subcontractors.
-
Are subcontractors required to comply with your security policies? Yes / No
Do you use subcontractors to deliver services? Yes / No
If yes, describe your process for vetting subcontractors.
Are subcontractors required to comply with your security policies? Yes / No
9. Incident Response
-
Do you have a documented incident response plan? Yes / No
-
Describe your process for handling security incidents.
-
Average time to notify clients of a security breach: ______ hours/days.
Do you have a documented incident response plan? Yes / No
Describe your process for handling security incidents.
Average time to notify clients of a security breach: ______ hours/days.
10. Review and Approval
Reviewed by: _______________________________
Title: _______________________________
Date: _______________________________
Risk Rating: Low / Medium / High