Cyber security banner

40 Questions to Ask During Vendor Due Diligence

Read Our Vendor IT DDQ Checklist

Vendor IT Due Diligence WhitepaperThe benefits of outsourcing or co-sourcing can be invaluable to your organization. But with reward, of course, comes risk. And inviting managed IT services providers and other outsourced vendors into your operational enterprise introduces potential vulnerabilities into your environment if you don’t keep a close eye on data access controls and overall security practices.

Our whitepaper, 40 Questions to Ask During Vendor Due Diligence, is an essential guidebook that will help ensure your vendor due diligence checklist includes careful examination of third parties’ information security practices, including:

  • Governance & Oversight
  • Risk Assessments & Security Policies
  • Advanced Threat Protection
  • Access Control
  • Incident Response & Recovery
  • Third Party Risk Management
  • Regulatory Compliance
  • and more

Access the Full DDQ Checklist

Complete the form to access the full checklist or keep scrolling for some sample questions to ask your third parties about their cybersecurity practices.

Sample Questions to Ask During Vendor Risk Assessments:

Governance & Oversight of Cybersecurity

  • Is there a team or personal responsible for your cybersecurity controls, practices and overall program?
  • What relevant cybersecurity or IT credentials do they hold?
  • How often are the company’s controls, practices and cybersecurity program reviewed and updated by those responsible?
  • Can you provide a current SOC 2 report that addresses your existing security controls?

Risk Assessments & Security Policies 

  • When was your most recent cybersecurity risk assessment and/or network vulnerability scan?
  • What were the results of that assessment?
  • Has action been taken to remediate any of the risks or gaps identified in the most recent assessment?
  • Do you perform penetration testing? If so, how often? What were the most recent results?
  • Do you have a physical security policy that protects your office location(s)? What is the screening process for allowing visitors, contractors and other employees to access your site?

Advanced Threat Protection Controls

  • What tools or technologies are used for proactive threat monitoring?
  • Do you have a dedicated individual or team (e.g. Security Operations Center) tasked with monitoring and alerting?
  • What is your patch management policy/schedule?
Previous ArticleConfronting Cyber Compliance from the C-Suite
Next Article Cybersecurity Risk Management e-Book