Vendor security questionnaire — free template

A ready-to-use third-party security assessment questionnaire · 20 questions across security, compliance & operations · updated June 2026

Evaluating a supplier before you buy? Start here. These are the questions that actually matter — grouped into Security, Compliance and Operations, each with a one-line note on why it matters. A practical, lightweight alternative to heavyweight frameworks like SIG and CAIQ — copy or download it free, or fill it in with live vulnerability data.

Fill it in — and add live vulnerability data.

Create a free assessment: answer these questions and IsItPatched adds an independently-verified layer (open CVEs, CISA KEV exploitation, end-of-life) for the product you’re evaluating — kept separate from the vendor’s answers, and exportable.

Create a free assessment →

Security

Single sign-on (SSO / SAML / OIDC)Centralises authentication so access is granted, revoked and audited in one place — and killed instantly when someone leaves.
Multi-factor authentication (MFA)Blocks the credential-stuffing and phishing attacks behind most account takeovers, even after a password leaks.
Role-based access control (RBAC)Limits each user to what their role needs, containing the blast radius if an account is compromised.
Audit logsLet you reconstruct who did what after an incident — and spot misuse before one.
Encryption at restProtects stored data if disks, backups or a database are stolen or exposed.
Encryption in transitStops data being intercepted between you and the vendor, and between their internal services.
Documented incident-response planA tested plan is the difference between a contained incident and a chaotic breach.
Penetration test in the last 12 monthsIndependent testing finds exploitable issues that internal reviews miss.

Compliance · Held? Add scope / expiry in the note.

ISO/IEC 27001Independent certification that the vendor runs a managed information-security program (ISMS).
SOC 2 (Type I / II)An independent auditor's report on security controls — Type II covers how they operated over time, not just one day.
GDPRGoverns how EU/UK personal data is handled — relevant if any personal data flows through the product.
Cyber Essentials / PlusA UK baseline certification covering five core technical controls — often required for public-sector work.
PCI-DSSRequired if the product stores, processes or transmits payment-card data.
HIPAARequired if the product touches US protected health information (PHI).

Operations

SLA availableA committed uptime/response target you can hold them to — and a basis for credits if missed.
Public status pageTransparent, real-time visibility into outages and incidents without raising a ticket.
Disaster recovery (DR) documentedShows they can recover the service after a major failure — and how long that takes (RTO/RPO).
Backup strategy documentedDetermines whether your data can be restored after corruption, deletion or ransomware.
Data residency optionsControls which country/region your data is stored in — often a legal or contractual requirement.
Sub-processor list availableReveals the third parties that can access your data — your risk extends to their supply chain.

What a questionnaire can’t tell you

A questionnaire is self-reported — it captures what a vendor says, not what’s independently true of the software you’d run. It won’t tell you whether that product has open critical CVEs, is being actively exploited right now, or is past end-of-life. That’s the gap IsItPatched fills:

Create a free assessment — this questionnaire + verified vulnerability data, side by side.
What an SBOM tells you that a questionnaire can’t — the independent layer explained.
SOC 2 vs ISO 27001 — which certification to ask a vendor for, and why.

Frequently asked questions

What is a vendor security questionnaire?

A vendor (or third-party) security questionnaire is a structured set of questions a buyer sends a supplier to assess the security, compliance and operational maturity of a product before purchase. It typically covers access control and encryption, certifications like SOC 2 and ISO 27001, and operational practices like backups, disaster recovery and SLAs.

What should a vendor security questionnaire include?

A practical baseline covers three areas: Security (SSO, MFA, RBAC, audit logs, encryption at rest and in transit, incident response, recent penetration testing), Compliance (ISO 27001, SOC 2, GDPR, Cyber Essentials, PCI-DSS, HIPAA — with scope and expiry), and Operations (SLA, public status page, disaster recovery, backups, data residency, sub-processor list). This free template includes all 20.

Is a questionnaire enough to assess a vendor?

No. A questionnaire captures what the vendor says about themselves — it is self-reported and unverified. It tells you nothing about the known vulnerabilities, active exploitation or end-of-life status of the actual software you would run. Pair the questionnaire with independent software-composition data (which IsItPatched adds automatically) for a fuller picture.

How is this different from just a checklist?

You can copy these questions into a spreadsheet for free. The difference with IsItPatched is that when you create an assessment from this template, it adds an independently-verified layer — open critical/high CVEs, CISA KEV exploitation status and end-of-life — for the product you are evaluating, kept visually separate from the vendor’s self-reported answers, and exportable for your procurement file.

This template is a free, vendor-neutral resource. The questions are self-reported by the vendor and are not verified by IsItPatched. When you create an assessment, IsItPatched independently verifies only the software-composition layer (NVD, CISA KEV, EPSS, endoflife.date), shown separately. Not legal or compliance advice. See our disclaimer.