BitSight Security Ratings Blog

View all posts


Vendor Risk Management

If you’re in the beginning stages of building your comprehensive vendor risk management plan, you’re likely looking for something that will help you get started with your vendor risk assessments. That’s a big task—but it doesn’t need to be daunting. Here are a few things you should know before you begin:

  • The templates below are not pre-made questionnaires that you can simply copy and paste and be done with. Rather, they are comprehensive documents with hundreds (and thousands) of possible question ideas that can be used to create a personalized vendor risk assessment questionnaire. Thus, it’s important to keep your own industry, organization, and vendors in mind as you gather pertinent security questions.
  • All three of these are examples of risk assessments that ask a series of questions about an organization’s governance and approach to cybersecurity. The first two have been put together and designed by experts with backgrounds in assessing cybersecurity practices, and all three are designed to be consumed by the masses. So while there will be a lot of material to comb through, you should be able to understand it all quite easily.
  • Creating an information security risk assessment template for your organization isn’t a quick or easy process. You can’t expect to show up to work at 9 a.m. and have your document written and completed before lunch. Instead, expect for your company’s leadership to spend many hours across several days reading through these three templates.

With that being said, let’s take a look at the CIS Critical Security Controls, the NIST Cybersecurity Framework, and our very own “40 Questions You Should Have In Your Vendor Security Assessment” ebook.

The critical questions you should be asking your vendors (and why they’re so vital to your cybersecurity).

1. CIS Critical Security Controls

Download Guide: 40 Questions You Should Have In Your Vendor Security Assessment The CIS Critical Security Controls (formerly known as the SANS Top 20) was created by experts in the private sector and in government. This is a practical guide to getting started quickly and effectively with a security program and is widely considered the “gold standard” of security practices today. It was designed as a list of best practices from a technology and practices standpoint that organizations can implement to address the most critical security vulnerabilities. It was created as a response to other security risk assessments that were hundreds-of-pages long.

2. NIST Cybersecurity Framework

The NIST (National Institute of Standards and Technology) Cybersecurity Framework was created by the government and private sector as way of simplifying the security assessment and governance process. It is based on many international practices and standards, including NIST 800-53 and ISO 27001. The CIS Critical Security Controls are also reflected in this framework.

NIST is designed for owners and operators of critical infrastructure, but it can be used by anyone. The great thing about it is that it incorporates governance and technology issues, whereas the CIS Critical Security Controls is more focused on technology alone. NIST’s dual approach makes it a very popular framework.

3. “40 Questions You Should Have In Your Vendor Security Assessment” Ebook

We promised that these information security risk assessment templates would help you get started quickly, and we’re sticking by that. So if you’re looking to jump-start this process, our latest ebook is a perfect place to begin. We blended together the NIST and SANS frameworks to come up with a specific list of 40 important questions that you may consider including in your vendor questionnaire.

Of course, this ebook isn’t nearly as comprehensive as the previous templates. There are thousands of possible questions represented in the NIST and SANS templates, but it isn’t always easy to identify which are the most important. And that’s where this simplified ebook can come in handy. Once you review it, you’ll likely have a better idea of which questions are critical and why they’re vital to good cybersecurity practices.

In Conclusion

The bottom line is that if you’re tackling information security risk assessment templates, you may be overwhelmed by the mission ahead of you. But our best advice is to take a deep breath and simply get started. Again, the templates above are written in terms that most people can understand—so all you need to do is make sure the right people are in the room and get started. Best of luck!


Download Guide: 40 Questions You Should Have In Your Vendor Security Assessment Need some assistance with the creation of your vendor security risk assessment? 

This ebook will give you a strong head start.


We’d love to show you how you can simplify your risk management and take charge of your cyber security with these intuitive and powerful solutions.

Request Demo