Vendor Risk Assessment Checklist

Use this Vendor Risk Assessment Checklist to evaluate potential risks posed by third-party vendors, including information security, data centers, apps etc.

Vendor Risk Assessment Checklist



Information Security And Privacy Questions

1. Does your organization process personally identifiable information (PII) or protected health information (PHI)?


Photo Comment

2. Does your organization have a security program? If so, what standards and guidelines does it follow?


Photo Comment

3. Does your information security and privacy program cover all operations, services, and systems that process sensitive data?


Photo Comment

4. Who is responsible for managing your information security and privacy program?


Photo Comment

5. What controls do you employ as part of your information security and privacy program?


Photo Comment

6. Please provide a link to your public information security and/or privacy policy.


Photo Comment

7. Are there any additional details you would like to provide about your information security and privacy program?


Photo Comment

8. What is your process for data classification? What security measures are in place to protect each classification level?


Photo Comment

9. How do you ensure remotely accessed sensitive data (such as data accessed from mobile devices) is secured?


Photo Comment

10. Do you employ any anonymizing techniques, such as data masking? If so, describe the systems in which these techniques are implemented.


Photo Comment

11. Do any of your third-party vendors have access to your sensitive data? If so, what categories of sensitive data do they have access to?


Photo Comment

12. How do you ensure your third-party vendors that process your sensitive data have proper cybersecurity measures in place?


Photo Comment

13. What user authentication techniques or access control strategies are you implementing to prevent unauthorized access?


Photo Comment

14. Do you implement Data Loss Prevention (DLP) strategies to defend against exfiltration?


Photo Comment

15. How do you ensure that only the minimal personal information is collected and processed? How do you define “minimal level”?


Photo Comment
Physical And Data Center Security Questions

1. Are you in a shared office?


Photo Comment

2. Do you review physical and environmental risks?


Photo Comment

3. Do you have procedures in place for business continuity in the event that your office is inaccessible?


Photo Comment

4. Do you have a written policy for physical security requirements for your office?


Photo Comment

5. Is your network equipment physically secured?


Photo Comment

6. What data center providers do you use, if any?


Photo Comment

7. How many data centers store sensitive data?


Photo Comment

8. What countries are data centers located in?


Photo Comment

9. Are your data centers certified by any industry standards (e.g., ISO 27001, SSAE 16)?


Photo Comment

10. Are there any additional details you would like to provide about your physical and data center security program?


Photo Comment

11. Where is sensitive information physically stored?


Photo Comment

12. Is physically stored sensitive information segmented from general access network regions?


Photo Comment

13. How do you ensure the security of any personal data transferred between physical devices?


Photo Comment

14. Do you have any surveillance cameras in place? Where are they positioned, and how long is the footage retained?


Photo Comment

15. Are any of your surveillance devices IoTs?


Photo Comment

16. How often do you conduct physical security audits?


Photo Comment
Web Application Security Questions

1. What is the name of your application? And what does it do?


Photo Comment

2. Do you have a bug bounty program or other way to report vulnerabilities?


Photo Comment

3. Does your application have a valid SSL certificate to prevent man-in-the-middle attacks?


Photo Comment

4. Does your application require login credentials?


Photo Comment

5. How do users get their initial password?


Photo Comment

6. Do you have minimum password security standards?


Photo Comment

7. How do you store passwords?


Photo Comment

8. Do you offer single sign-on (SSO)?


Photo Comment

9. How can users recover their credentials?


Photo Comment

10. Does your application employ a defense-in-depth strategy?


Photo Comment

11. How do you regularly scan CVE for known vulnerabilities?


Photo Comment

12. How do you do quality assurance?


Photo Comment

13. How do you ensure data is transferred securely between APIs and other third-party integrations?


Photo Comment

14. Do you have a Web Application Firewall (WAF) implemented?


Photo Comment

15. How do you track end-of-life web server software and outdated web dev libraries?


Photo Comment

16. Do you employ penetration testing to test the integrity of sensitive data security controls?


Photo Comment

17. Who can we contact for more information related to your web application security?


Photo Comment

18. How do you ensure the timely installation of web application security patches?


Photo Comment

19. What types of data processing activities do you perform for different types of users (visitors, customers, etc.)?


Photo Comment

20. How do you ensure separation of duties in your application development and deployment processes?


Photo Comment

21. How do you gather user consent to process personal data?


Photo Comment

22. What measures are in place to prevent session hijacking?


Photo Comment

23. Do you implement input validation measures to prevent input-based attacks, such as SQL injection, keylogging, and Cross-Site Scripting (XSS)?


Photo Comment
Infrastructure Security Questions

1. Do you have a written network security policy?


Photo Comment

2. Have you ever experienced a data breach? If so, what was the impact, and how was it addressed?


Photo Comment

3. Do you use a VPN?


Photo Comment

4. Do you employ server hardening?


Photo Comment

5. How do you keep your server operating systems patched?


Photo Comment

6. Do you log security events?


Photo Comment

7. What operating systems are used on your servers?


Photo Comment

8. Do you back up your data?


Photo Comment

9. How do you store backups?


Photo Comment

10. Do you segment your network to obfuscate access to sensitive resources?


Photo Comment

11. Do you test backups?


Photo Comment

12. Who manages your email infrastructure?


Photo Comment

13. How do they prevent email spoofing? e.g. DMARC


Photo Comment

14. Do you employ intrusion detection and prevention systems (IDPS)?


Photo Comment

15. How do you handle end-of-life hardware and ensure data is securely wiped?


Photo Comment

16. How do you protect employee devices from ransomware and other types of malware?


Photo Comment

17. What operating systems do employee devices use?


Photo Comment

18. Are employee devices encrypted?


Photo Comment

19. Are user logins managed in a centralized solution?


Photo Comment

20. How do you ensure secure configurations for all network devices, including routers, switches, and firewalls?


Photo Comment

21. How do you monitor for suspicious activities or infrastructure anomalies?


Photo Comment

22. Do you have an Incident Response Plan plan in place? How often is it tested?


Photo Comment

23. Do you have a disaster recovery plan in place? How often is it tested?


Photo Comment

24. How often do you review and update firewall rules and configurations?


Photo Comment

25. Do you employ a third party to test your infrastructure security?


Photo Comment

26. Who can we contact regarding infrastructure security?


Photo Comment

27. What security measures are in place to defend against malware injections, ransomware attacks, and other malicious threats?


Photo Comment

Is this sample what you are looking for?
Sign up to use & customise this template, or create your own custom checklist:

Checklist by GoAudits.com – Please note that this checklist is intended as an example. We do not guarantee compliance with the laws applicable to your territory or industry. You should seek professional advice to determine how this checklist should be adapted to your workplace or jurisdiction.

Easy inspection app for your digital checklists