Vendor Risk Assessment Questionnaire: Complete Guide with 50 Key Questions 2026

A vendor risk assessment questionnaire is the single most important document in your third-party risk management programme. It is how you translate your risk appetite into measurable, comparable data across your entire vendor population. Yet research shows that over 40% of organisations still rely on outdated, generic questionnaires that miss entire risk domains — leaving critical gaps in visibility precisely where regulators and auditors are looking hardest. This guide gives you a complete, framework-aligned questionnaire structure for 2026, with 50 essential questions across every major risk domain, and practical guidance on how to score and act on the responses.

What Is a Vendor Risk Assessment Questionnaire and Why It Matters

A vendor risk assessment questionnaire is a structured set of questions sent to third-party vendors to evaluate their security posture, compliance status, operational resilience, and financial stability. It is the primary due diligence instrument in the vendor lifecycle — used at onboarding to establish a baseline risk rating, and periodically thereafter to detect changes that could affect your risk exposure.

According to guidance from the NIST Cybersecurity Framework 2.0, effective supply chain risk management requires that organisations identify, assess, and respond to the risks introduced by their third-party relationships — and a well-designed questionnaire is the primary mechanism for executing that assessment at scale. Regulators under DORA, FFIEC, and GDPR Article 28 all expect documented evidence of vendor due diligence, and questionnaire responses — with documented follow-up — constitute that evidence.

The 6 Core Risk Domains Every Questionnaire Must Cover

A comprehensive vendor risk assessment questionnaire in 2026 should span all six of these domains. Omitting any one of them creates a blind spot that could be exploited or flagged in an audit.

Domain 1: Cybersecurity Controls (15 Questions)

• Does the vendor maintain an information security policy reviewed at least annually?
• Has the vendor achieved ISO 27001 certification, SOC 2 Type II, or an equivalent standard? If so, provide the most recent certificate or report.
• Does the vendor enforce multi-factor authentication (MFA) for all remote access and privileged accounts?
• What is the vendor’s process for applying critical security patches — what is the maximum time from patch release to deployment?
• Does the vendor conduct annual penetration testing by an independent third party? Are results available for review?
• How does the vendor manage and monitor privileged access to systems holding your data?
• What encryption standards are applied to data at rest and in transit?
• Does the vendor operate a formal vulnerability management programme with tracked remediation timelines?
• What endpoint detection and response (EDR) tools are deployed across the vendor’s environment?
• Is the vendor’s network segmented to isolate systems holding your data from the broader internal environment?
• Does the vendor conduct regular security awareness training for all staff, including phishing simulations?
• What is the vendor’s process for detecting and responding to insider threats?
• Does the vendor maintain a formal asset inventory covering all hardware and software in scope?
• How does the vendor handle secure disposal or return of your data and equipment at contract end?
• Has the vendor experienced any confirmed security incidents in the past 24 months? If so, provide a summary.

Domain 2: Data Protection and Privacy (10 Questions)

• What categories of personal data will the vendor process on your behalf, and under what legal basis?
• Where will your data be stored and processed geographically? Does this change under any sub-contractor arrangements?
• Does the vendor maintain a data processing agreement (DPA) that complies with GDPR or UK GDPR requirements?
• What is the vendor’s data retention and deletion policy for your data after contract termination?
• Has the vendor appointed a Data Protection Officer (DPO) where required under applicable law?
• What mechanisms are in place to support data subject rights (access, erasure, portability) relating to your data?
• Has the vendor suffered a personal data breach in the past 24 months that required regulatory notification?
• Does the vendor conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities?
• How does the vendor handle cross-border data transfers, and what transfer mechanisms are in place?
• Does the vendor apply data minimisation principles — processing only the data strictly necessary for service delivery?

Domain 3: Business Continuity and Operational Resilience (8 Questions)

• Does the vendor maintain a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) that have been tested in the past 12 months?
• What is the vendor’s Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for critical systems?
• Does the vendor operate from geographically redundant data centres or infrastructure?
• What is the vendor’s process for notifying customers of service outages or degradation?
• Has the vendor experienced any significant service outage (more than 4 hours of downtime) in the past 12 months?
• How does the vendor manage concentration risk — are there single points of failure in its technology or supply chain?
• Does the vendor conduct tabletop exercises or live simulations of major incident scenarios?
• What third-party dependencies (cloud providers, infrastructure vendors) could affect service delivery to your organisation?

Domain 4: Compliance and Regulatory (8 Questions)

• What regulatory frameworks and standards does the vendor certify or comply with relevant to your sector?
• Has the vendor been subject to any regulatory investigation, enforcement action, or significant fine in the past 36 months?
• Does the vendor maintain documented compliance with DORA requirements (where applicable as an ICT service provider)?
• How does the vendor stay current with changes to applicable laws and regulations, and how are those changes reflected in controls?
• Does the vendor conduct annual internal audits of its compliance posture, with documented findings and remediation?
• What export control or sanctions screening processes does the vendor apply to its own supply chain and personnel?
• Does the vendor maintain an anti-bribery and corruption policy aligned to applicable legislation?
• Has the vendor’s compliance programme been reviewed by an independent external auditor in the past 24 months?

Domain 5: Third- and Fourth-Party Risk (5 Questions)

• Does the vendor maintain an inventory of all sub-contractors and fourth parties with access to your data or systems?
• What security obligations does the vendor flow down to its sub-contractors? Are those obligations contractually enforced?
• Will the vendor notify you before engaging any new sub-contractor that will handle your data?
• Does the vendor conduct its own risk assessments of critical sub-contractors at least annually?
• Has any sub-contractor used by the vendor experienced a security incident affecting your data in the past 24 months?

Domain 6: Financial Stability (4 Questions)

• Can the vendor provide most recent audited financial statements demonstrating financial viability?
• Has the vendor experienced any significant financial event (insolvency proceedings, major restructuring, acquisition) in the past 24 months?
• Does the vendor carry appropriate cyber liability and errors and omissions (E&O) insurance? What are the coverage limits?
• What is the vendor’s plan for ensuring business continuity and service handover in the event of insolvency?

How to Score and Act on Questionnaire Responses

Collecting questionnaire responses is only valuable if you act on them systematically. A mature TPRM programme scores each response against a defined rubric — for example, a red/amber/green rating per question, aggregated into a domain score and an overall vendor risk rating. Any red-rated response should trigger a mandatory remediation conversation with the vendor, with a documented timeline for resolution. Where critical gaps cannot be remediated, your risk framework should include an escalation path to the business owner for formal risk acceptance or vendor replacement.

The CISA Supply Chain Security Guidance recommends that scoring rubrics be reviewed annually and updated whenever a new threat category, regulatory change, or lessons-learned event warrants it. Your questionnaire should be a living document, not a static form.

Aligning Your Questionnaire to Regulatory Requirements

Different sectors require different emphases. For financial services organisations operating under FFIEC guidance or DORA, the compliance, operational resilience, and fourth-party risk sections carry heightened weight. For organisations processing EU personal data under GDPR, the data protection domain is essential and must include a signed DPA. For healthcare organisations, HIPAA alignment should be added as an explicit module. The key is to build a modular questionnaire — a core set of questions applicable to all vendors, with add-on modules that activate based on the vendor’s risk tier, data access level, and regulatory context. For more on structuring risk tiers, see our guide on TPRM Risk Tiering and our Vendor Contract Security Clauses guide to understand how questionnaire findings should flow into contractual protections.

If you want to test your depth of knowledge on vendor risk assessment methodology and the frameworks that govern it, the LearnTPRM Professional Certification covers these topics across 100 scenario-based questions designed for practising risk professionals.

Frequently Asked Questions

What is a vendor risk assessment questionnaire?

A vendor risk assessment questionnaire is a structured set of questions used to evaluate a third-party vendor’s security controls, compliance status, financial stability, and operational resilience. It is the primary due diligence tool in a TPRM programme, used to generate comparable risk ratings across the vendor population and identify gaps that require remediation before or during a vendor relationship.

How many questions should a vendor risk assessment questionnaire have?

A comprehensive full-scope questionnaire for a high-risk vendor typically contains 40 to 100 questions covering all major risk domains. Lower-risk vendors may receive a lighter 15 to 25 question version covering only core security and compliance controls. The key is proportionality — questionnaire depth should match the vendor’s risk tier and the sensitivity of the data they access.

How often should vendor risk assessment questionnaires be sent?

Critical and high-risk vendors should complete a full assessment at onboarding and annually thereafter, or whenever a significant event occurs — such as a merger, breach, regulatory change, or major change in service scope. Medium-risk vendors are typically reassessed every 18 to 24 months, and low-risk vendors every two to three years.

What frameworks should a vendor risk assessment questionnaire align to?

A well-designed questionnaire aligns to NIST CSF 2.0 for supply chain risk management, ISO 27001:2022 Annex A controls for supplier relationships, DORA Articles 28–30 for ICT vendor requirements in financial services, GDPR Article 28 for data processor obligations, and FFIEC guidance for US banking organisations. Framework alignment makes questionnaire findings directly usable as audit evidence.

What is the difference between a vendor risk assessment questionnaire and a security questionnaire?

A security questionnaire covers cybersecurity controls specifically — encryption, access management, patching, penetration testing, and incident response. A vendor risk assessment questionnaire is broader, covering security plus financial stability, business continuity, regulatory compliance, privacy practices, and fourth-party risk. In a mature TPRM programme, cybersecurity is one domain within the full assessment, not the entire assessment.