Skip to main content
IT KORR
IT KORRKeeping Organizations Reliable & Resilient
Compliance & Governance · Download

Vendor Security Risk Questionnaire

A representative vendor security questionnaire covering data handling, certifications, access controls, incident history, and audit rights.

IT KORR Knowledge Center

Vendor Security Risk Questionnaire

A representative vendor security questionnaire covering data handling, certifications, access controls, incident history, and audit rights.

Data Handling & Certifications

  • What types of our data will you access, process, or store, and where (including subprocessor locations)?
  • Is data encrypted at rest and in transit? What encryption standards are used?
  • What certifications or attestations do you currently hold (e.g., SOC 2 Type II, ISO 27001) and can you provide the current report or certificate?
  • How long do you retain our data after contract termination, and what is your data deletion process?

Access Control & Security Practices

  • Is multi-factor authentication enforced for all employee access to systems that process our data?
  • How is access to our data restricted internally, and how often is that access reviewed?
  • Do you conduct background checks on employees with access to customer data?
  • What vulnerability management and patching practices are in place for systems handling our data?

Incident History & Subprocessors

  • Have you experienced a security incident or data breach in the past 24 months? If so, describe the scope, impact, and remediation.
  • What is your committed notification timeline if a breach affecting our data occurs?
  • Do you use subprocessors to deliver the service, and will you disclose and notify us of changes to that subprocessor list?
  • How do you assess the security posture of your own subprocessors?

Backup, Continuity & Audit Rights

  • What is your backup schedule, and how frequently are backups tested for restorability?
  • Do you maintain a documented business continuity / disaster recovery plan, and when was it last tested?
  • Does your contract include a right-to-audit clause, or will you provide audit results in lieu of a direct audit?
  • Will you notify us in advance of material changes to your security posture, infrastructure, or ownership?

Related Resources

  • Third-Party Vendor Risk Management — /knowledge-center/compliance/compliance-governance/third-party-vendor-risk-management
  • Risk Assessments vs. Compliance Assessments — /knowledge-center/compliance/compliance-governance/risk-assessments-vs-compliance-assessments

This document is a starting-point resource, not legal or compliance advice. Review it against your organization's actual systems before adoption — see the full Compliance & Governance Hub for the reasoning behind each recommendation, or use the Compliance Readiness Assessment for a personalized review.

Build: add8299 | Built: Jul 9, 2026 9:26 PM EDT