IT KORR Knowledge Center
Vendor Security Risk Questionnaire
A representative vendor security questionnaire covering data handling, certifications, access controls, incident history, and audit rights.
Data Handling & Certifications
- What types of our data will you access, process, or store, and where (including subprocessor locations)?
- Is data encrypted at rest and in transit? What encryption standards are used?
- What certifications or attestations do you currently hold (e.g., SOC 2 Type II, ISO 27001) and can you provide the current report or certificate?
- How long do you retain our data after contract termination, and what is your data deletion process?
Access Control & Security Practices
- Is multi-factor authentication enforced for all employee access to systems that process our data?
- How is access to our data restricted internally, and how often is that access reviewed?
- Do you conduct background checks on employees with access to customer data?
- What vulnerability management and patching practices are in place for systems handling our data?
Incident History & Subprocessors
- Have you experienced a security incident or data breach in the past 24 months? If so, describe the scope, impact, and remediation.
- What is your committed notification timeline if a breach affecting our data occurs?
- Do you use subprocessors to deliver the service, and will you disclose and notify us of changes to that subprocessor list?
- How do you assess the security posture of your own subprocessors?
Backup, Continuity & Audit Rights
- What is your backup schedule, and how frequently are backups tested for restorability?
- Do you maintain a documented business continuity / disaster recovery plan, and when was it last tested?
- Does your contract include a right-to-audit clause, or will you provide audit results in lieu of a direct audit?
- Will you notify us in advance of material changes to your security posture, infrastructure, or ownership?
Related Resources
- Third-Party Vendor Risk Management — /knowledge-center/compliance/compliance-governance/third-party-vendor-risk-management
- Risk Assessments vs. Compliance Assessments — /knowledge-center/compliance/compliance-governance/risk-assessments-vs-compliance-assessments