Introducing Referent AI-native practice management software for modern law firms.

Explore Referent

Third-Party Risk Assessment: Vendor Due Diligence Guide

  • Typical length: 4-6 pages
  • AI Assisted
  • Export: PDF & DOCX
  • Multi-jurisdiction ready
Get your custom agreement in minutes Create Agreement
4.8 Rating Downloaded 4740 times
Google For Startups NVIDIA Inception Program

Third-Party Risk Assessment Questionnaire Template

This Third-Party Risk Assessment Questionnaire is designed to help organizations evaluate the risks associated with vendors, suppliers, and service providers. All sections should be completed by the vendor and reviewed by the organization’s risk management team.

1. Vendor Information

  • Company Name: _______________________________

  • Address: _______________________________

  • Contact Person: _______________________________

  • Email: _______________________________

  • Phone: _______________________________

  • Service Provided: _______________________________

Company Name: _______________________________

Address: _______________________________

Contact Person: _______________________________

Email: _______________________________

Phone: _______________________________

Service Provided: _______________________________

2. Company Overview and Governance

  • Year established: ___________________________

  • Number of employees: _______________________

  • Describe your company’s governance structure and key executives.

  • Do you have a dedicated compliance officer or team? Yes / No

Year established: ___________________________

Number of employees: _______________________

Describe your company’s governance structure and key executives.

Do you have a dedicated compliance officer or team? Yes / No

3. Cybersecurity Practices

  • Do you have a documented information security policy? Yes / No

  • Are your systems regularly tested for vulnerabilities? Yes / No

  • Do you conduct employee cybersecurity training? Yes / No

  • Do you use multi-factor authentication for system access? Yes / No

  • List any cybersecurity certifications (e.g., ISO 27001, SOC 2): _______________________________

Do you have a documented information security policy? Yes / No

Are your systems regularly tested for vulnerabilities? Yes / No

Do you conduct employee cybersecurity training? Yes / No

Do you use multi-factor authentication for system access? Yes / No

List any cybersecurity certifications (e.g., ISO 27001, SOC 2): _______________________________

4. Data Protection and Privacy

  • Do you comply with data protection regulations such as GDPR or HIPAA? Yes / No

  • Describe your data encryption practices for data at rest and in transit.

  • Do you have a process for securely disposing of sensitive data? Yes / No

  • How do you handle data breach notifications?

Do you comply with data protection regulations such as GDPR or HIPAA? Yes / No

Describe your data encryption practices for data at rest and in transit.

Do you have a process for securely disposing of sensitive data? Yes / No

How do you handle data breach notifications?

  • List any regulatory frameworks your organization complies with.

  • Have you faced any regulatory fines or legal actions in the past 5 years? Yes / No

  • Do you maintain records of compliance audits? Yes / No

List any regulatory frameworks your organization complies with.

Have you faced any regulatory fines or legal actions in the past 5 years? Yes / No

Do you maintain records of compliance audits? Yes / No

6. Business Continuity and Disaster Recovery

  • Do you have a documented business continuity plan (BCP)? Yes / No

  • How often do you test your BCP and disaster recovery plan?

  • What is your average recovery time objective (RTO)?

  • Provide a brief description of backup and redundancy systems.

Do you have a documented business continuity plan (BCP)? Yes / No

How often do you test your BCP and disaster recovery plan?

What is your average recovery time objective (RTO)?

Provide a brief description of backup and redundancy systems.

7. Financial Stability

  • Provide a copy of your most recent financial statement.

  • Are there any current or pending bankruptcy proceedings? Yes / No

  • List any insurance policies relevant to risk coverage: _______________________________

Provide a copy of your most recent financial statement.

Are there any current or pending bankruptcy proceedings? Yes / No

List any insurance policies relevant to risk coverage: _______________________________

8. Subcontractor Management

  • Do you use subcontractors to deliver services? Yes / No

  • If yes, describe your process for vetting subcontractors.

  • Are subcontractors required to comply with your security policies? Yes / No

Do you use subcontractors to deliver services? Yes / No

If yes, describe your process for vetting subcontractors.

Are subcontractors required to comply with your security policies? Yes / No

9. Incident Response

  • Do you have a documented incident response plan? Yes / No

  • Describe your process for handling security incidents.

  • Average time to notify clients of a security breach: ______ hours/days.

Do you have a documented incident response plan? Yes / No

Describe your process for handling security incidents.

Average time to notify clients of a security breach: ______ hours/days.

10. Review and Approval

Reviewed by: _______________________________

Title: _______________________________

Date: _______________________________

Risk Rating: Low / Medium / High

Download Free Template

Get your complete
agreement in minutes

Select template illustration
Select a template

Each template already follows legal structure and best practices.

Provide details illustration
Provide details

The agreement is automatically filled and adapted to your inputs.

Review & download illustration
Review & download

Check the generated document, make edits if needed, and download a ready-to-use agreement.

Details

Learn more about

Third-Party Risk Assessment: Vendor Due Diligence Guide

Click below for detailed info on the template.
For quick answers, scroll below to see the FAQ.

Learn more

Frequently asked

Third-Party Risk Assessment — quick answers

01

What is a Third-Party Risk Assessment Questionnaire?

It’s a document that organizations use to evaluate the risks associated with vendors, suppliers, or other third-party service providers. It helps determine whether a third party meets the organization’s security, compliance, and operational standards.

02

Why is this questionnaire important?

Third-party relationships often involve shared data and systems, making them potential sources of cybersecurity threats, regulatory non-compliance, and operational disruptions. A structured questionnaire helps identify weak points before they become issues.

03

When should you use this questionnaire?

Use it when onboarding new vendors, renewing contracts, or periodically auditing existing third-party relationships.

04

What areas should be covered in a Third-Party Risk Assessment Questionnaire?

It should cover cybersecurity practices, data protection measures, legal compliance, business continuity planning, and financial stability of the third party.

05

Does this questionnaire help with regulatory compliance?

Yes. It supports compliance with frameworks like GDPR, HIPAA, SOC 2, and ISO 27001 by documenting vendor security practices and risk management processes.

06

Need a customized Third-Party Risk Assessment Questionnaire?

Use our AI-powered builder to generate a tailored questionnaire in minutes — professional, compliant, and ready to use.

Similar templates

Other templates from

Policy and Compliance Documents