• CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • PARTNERS LOGIN
  • CONTACT US
  • PRIVACY POLICY

Security Questionnaires Comparison – A Guide to Refining Your Risk Assessments

Published by Sabrina Pagnotta on August 20, 2021
Categories
  • Blog
Tags
  • TPRM Best Practices
security questionnaires

When assessing a third party vendor’s security posture, there are many industry standards and security questionnaires like SIG, SOC, or CAIQ that can be used, as well as industry-specific law and regulations. Do you need them all? Which ones are more suitable to your risk assessment framework?

This security questionnaires comparison guide will come in handy to decide which security questionnaires you need to include in your third party risk management (TPRM) program. It will also help you ask the right questions to establish more secure third party relations.


What is a Security Questionnaire?

Security questionnaires are sets of technical questions to determine an organization’s security and compliance posture. They vary in length according to their scope and objective, ranging anywhere from 100 to 400 questions about security policies and procedures.

The ultimate goal of security questionnaires is to determine if a third party vendor can be trusted to adequately protect sensitive customer information. It’s a way of validating their security stance with a written assessment based on tried and true controls.

An industry standard questionnaire created by a trusted entity can be used as the starting point, but you can tailor it based on your organization’s needs or even create your own custom questionnaire to collect the data you need for your assessment.

Requesting your vendors to respond to security questionnaires and/or show other certifications, like a pentest, is considered a cybersecurity best practice across most industries today. Needless to say, one of the key initiatives of a TPRM program, which is then followed by risk remediation and mitigation, and continuous monitoring throughout the relationship.

Read More: TPRM FAQs - The ultimate guide to secure your vendor ecosystem

What are the most common security questionnaires?

These are some of the most used industry standard security assessment methodologies:


Consensus Assessments Initiative Questionnaire (CAIQ)

The CAIQ was developed by the Cloud Security Alliance, a not-for-profit organization that promotes the use of best practices for providing security assurance within cloud computing.

It provides a set of Yes/No questions for cloud service providers, such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) offerings, to determine if their cloud practices are reliably secure.

Its latest version has been recently combined with the Cloud Controls Matrix, comprising a cybersecurity control framework for cloud computing. The Matrix is composed of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology. This makes it a de-facto standard for cloud security assurance and compliance.


CIS Controls

The Center for Internet Security (CIS) is a non-profit entity that amis to safeguard private and public organizations against cyber threats.

The assessments formerly known as the SANS Critical Security Controls (SANS Top 20) and the CIS Critical Security Controls, were recently consolidated and are now officially called the CIS Controls. After a revision of terminology and grouping of safeguards, the number of controls was reduced from 20 to 18.

The CIS Controls are a prioritized set of actions to protect critical systems and data from common cyber attacks. They map to most major frameworks such as the NIST Cybersecurity Framework, NIST 800-53, the ISO 27000 series, and regulations like PCI DSS, HIPAA, NERC CIP, and FISMA.


Standardized Information Gathering Questionnaire (SIG Core & SIG Lite)

Developed by Shared Assessments, the SIG Questionnaire evaluates vendors based on 18 individual risk controls to define how they manage security risks. It is updated every year, reflecting new security and privacy challenges.

There are two variants:

  • SIG Core, the full set of extensive questions including topics like GDPR and other specific compliance regulations.
  • SIG Lite, a simplified assessment for vendors with lower inherent risk, that focuses on the most high-level questions.

NIST 800-171

The National Institute of Standards and Technology (NIST) developed the NIST 800-171 questionnaire to provide guidance on cybersecurity and privacy for firms serving the U.S. federal government. This ensures that Controlled Unclassified Information (CUI) remains unaltered and confidential in any non-federal system.

Organizations that provide solutions, services or products to the Department of Defense (DoD), the General Services Administration (GSA) ,or the National Aeronautics and Space Administration (NASA) must comply with it.


Why you need security questionnaires in your TPRM program

Your company is probably working with dozens or hundreds of third party vendors managing all kinds of business processes. While this helps to achieve business goals, it also increases the cyber risk surface as vendors access your network and sensitive data while performing their service.

Your customers trust you with their sensitive data and expect you to have adequate data protection safeguards, both internally within your organization's perimeter, and also externally.

However, vendor-caused security incidents such as data breaches have become incredibly common, with Kaseya and SolarWinds as the latest headlines. This makes vendor risk assessments and third party risk management in general a strategic business need, one capable of differentiating your company as one that takes security seriously and thus helping drive more revenue.


How to start using security questionnaires in your vendor risk assessments

The ThirdPartyTrust TPRM platform allows you to set up all these questionnaires and more as part of your vendor risk assessment lifecycle. In addition, you can create your own custom questionnaires -because one size does not fit all and you can’t subject all third parties to the same set of questions.

Then, you can use their responses and any other security documentation they provide, and complement that with the integrated security ratings we provide, to get additional intelligence on their privacy and security policies, their financial strength, data breach history, and more.

This all happens in one place so you get the full third party risk picture, thus helping you develop more robust vendor relationships and maintain a secure supply chain.

Conversely, third party vendors can use the ThirdPartyTrust platform to build a single security profile, where they centralize their updated responses to all these questionnaires, certifications, and attestations.

Whenever an enterprise customer asks for a SIG or SOC report, the vendor just invites them to review those documents that are already hosted in the security profile, thus avoiding starting from scratch on every assessment or using emails and spreadsheets to answer questions.

Are you ready to refine your vendor risk assessments? Talk to a ThirdPartyTrust expert and take your TPRM to the next level.

 
guide for third party vendors
Requesting and responding to security assessments should not be a killer

This free strategy guide will help enterprises and third party vendors alike to simplify risk assessments. The manual approach won't cut it anymore, and it's time to shift to a more efficient approach.

Take a deep dive into the most common problems for both sides and explore tried and true solutions to fix them.

Get the Guide
 
Sabrina Pagnotta
Sabrina Pagnotta
Sr. Content Strategist
  • Phone
    |+1-617-245-0469
  • Address
    |
    111 Huntington Ave, Suite 2010, Boston, MA 02199
  • Sales
    |sales@bitsighttech.com
  • Contact Us
Laika_SOC2_TypeI_PurpleIris        CSA_Trusted_Cloud_Provider

©2022 ThirdPartyTrust, LLC and its Affiliates. All Rights Reserved. | 111 Huntington Ave. Suite 2010 Boston, MA 02199
  • PARTNERS LOGIN
  • CONTACT US
  • PRIVACY POLICY
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Reject AllAccept
Cookie Settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT