IT Supplier Risk Management

This post discusses some topics about information technology (IT) supplier risk management (SRM) or Supply Chain Risk Management (SCRM).

This post can be considered part of the series about supply chain IT security.

Related terms are provider management and IT vendor risk management.

Vendor lock-in

Vendor lockout is the loss of access to resources because the provider has ceased operations.

Post to IT Security Product Compiance lists

Standard Contracting Agreements

A master services agreement (MSA) is an umbrella document that governs many different projects conducted by the same service provider.

A statement of work (SOW) describes each project under a MSA.

A business partnership agreemeent (BPA) is used todefine the terms of a joint venture.

A memorandum of understanding (MOU) is an informal document describing the relationship between two organizations or business units of the same organization.

Certifications that could be used on Vendor IT Risk Management

Some organizations accept these certifications as proofs of cybersecurity risk management:

  • ISO/IEC 27001
  • SOC 2 Type II
  • Spain’s Esquema Nacional de Seguridad (ENS)
  • LEET Security Assessment

Vendor IT Risk Management Questionnaire Templates

There are questionnaires aimed to providers to assess their level of IT security.

You can also take into account IT security frameworks and IT security controls.

Vendor risk management questionnaire templates:

  • SecurityScorecard


SecurityScorecard offers a free vendor risk management questionnaire template.

Security Scorecard Template


The Consensus Assessments Initiative Questionnaire (CAIQ) is aimed to assess the IT security level of cloud service providers (CSP).

As of 2024, its latest version is v4.

It is published by the Cloud Security Alliance (CSA).

CAIQ has been integrated into the Cloud Security Matrix (CSM), and the questionnaire is available within the bundle.

CMS official website

CAIQ v4 download site

In addition, the CSA STAR registry contains all vendors that have applied. You can download it on this external link.

Questions for Vendors that could be included in Provider Questionnaire

The increased use of cloud services and other external vendors to store, process, and transmit sensitive information leads organizations to a new focus on implementing security reviews and controls in their contracting and procurement processes.

Security professionals should conduct reviews of the security controls put in place by vendors, both during the initial vendor selection and evaluation process, and as part of ongoing vendor governance reviews.

Some questions to cover during these vendor governance reviews include

  • What types of sensitive information are stored, processed, or transmitted by the vendor?
  • What controls are in place to protect the organization’s information?
  • How is our organization’s information segregated from that of other clients?
  • If encryption is relied on as a security control, what encryption algorithms and key lengths are used? How is key management handled?
  • What types of security audits does the vendor perform and what access does the client have to those audits?
  • Does the vendor rely on any other third parties to store, process, or transmit data? How do the provisions of the contract related to security extend to those third parties?
  • Where will data storage, processing, and transmission take place? If outside the home country of the client and/or vendor, what implications does that have?
  • What is the vendor’s incident response process and when will clients be notified of a potential security breach?
  • What provisions are in place to ensure the ongoing integrity and availability of client data?
  • Does the vendor possess any business continuity plan (BCP) or disaster recovery plan (DRP)?
  • Is identity and access management (IAM) applied by the vendor?
  • Which security controls are applied on operational procedures?

IT Security Vendor Risk Management Questionnaire Providers

You can find a list of IT security risk questionnaire providers on this post.

You might also be interested in…

External References

Leave a Reply

Your email address will not be published. Required fields are marked *