40 Questions to Ask During Vendor Due Diligence

Read Our Vendor IT DDQ Checklist

The benefits of outsourcing or co-sourcing can be invaluable to your organization. But with reward, of course, comes risk. And inviting managed IT services providers and other outsourced vendors into your operational enterprise introduces potential vulnerabilities into your environment if you don’t keep a close eye on data access controls and overall security practices.

Our whitepaper, 40 Questions to Ask During Vendor Due Diligence, is an essential guidebook that will help ensure your vendor due diligence checklist includes careful examination of third parties’ information security practices, including:

Governance & Oversight
Risk Assessments & Security Policies
Advanced Threat Protection
Access Control
Incident Response & Recovery
Third Party Risk Management
Regulatory Compliance
and more

Access the Full DDQ Checklist

Complete the form to access the full checklist or keep scrolling for some sample questions to ask your third parties about their cybersecurity practices.

Sample Questions to Ask During Vendor Risk Assessments:

Governance & Oversight of Cybersecurity

Is there a team or personal responsible for your cybersecurity controls, practices and overall program?
What relevant cybersecurity or IT credentials do they hold?
How often are the company’s controls, practices and cybersecurity program reviewed and updated by those responsible?
Can you provide a current SOC 2 report that addresses your existing security controls?

Risk Assessments & Security Policies

When was your most recent cybersecurity risk assessment and/or network vulnerability scan?
What were the results of that assessment?
Has action been taken to remediate any of the risks or gaps identified in the most recent assessment?
Do you perform penetration testing? If so, how often? What were the most recent results?
Do you have a physical security policy that protects your office location(s)? What is the screening process for allowing visitors, contractors and other employees to access your site?

Advanced Threat Protection Controls

What tools or technologies are used for proactive threat monitoring?
Do you have a dedicated individual or team (e.g. Security Operations Center) tasked with monitoring and alerting?
What is your patch management policy/schedule?

Previous ArticleConfronting Cyber Compliance from the C-Suite

Next Article Cybersecurity Risk Management e-Book

Complete the form below to download the whitepaper.

Previous ArticleConfronting Cyber Compliance from the C-Suite

Next Article Cybersecurity Risk Management e-Book

Private Cloud

Public Cloud

Backup & DR

UCaaS

Data Center

Managed Security

Managed Detection & Response

Vulnerability Assessments

EDR +AMTD

End User Training

Zero Trust

Managed Compliance

Cyber Risk Assessment

Data Discovery

Enable SEC Compliance

24×7 Support

NOC/Escalation

IT Consulting

Co-Managed IT

Managed IT Support & Security for Banks & Credit Unions

IT Services for Today’s Manufacturing Companies

IT Services for Healthcare

IT Services for Government & Law Enforcement

IT for Professional Services

IT & Security Services for Nonprofit Organizations

About Us

Leadership

News & Press

Testimonials

Partners

Careers

Tech Insights

Whitepapers

Case Studies

Events

Product Brochures

40 Questions to Ask During Vendor Due Diligence

Read Our Vendor IT DDQ Checklist

Access the Full DDQ Checklist

Sample Questions to Ask During Vendor Risk Assessments: