Skip to main content
← All controls
SR-6 / A.5.19 / A.5.21 / CIS-15.1 NIST SP 800-53 Rev 5

Do you require a security questionnaire (SIG, CAIQ, custom) for Tier 1 / Tier 2 vendors?

Demonstrate that the organization consistently collects, reviews, and documents security questionnaire responses from all Tier 1 and Tier 2 vendors before contract execution and at defined intervals thereafter.

Description

What this control does

This control mandates that organizations require third-party vendors classified as Tier 1 (critical/high-risk) or Tier 2 (moderate-risk) to complete standardized security questionnaires such as the Standardized Information Gathering (SIG) questionnaire, Consensus Assessments Initiative Questionnaire (CAIQ), or custom security assessments prior to onboarding and periodically thereafter. These questionnaires systematically evaluate vendor security posture across domains including data protection, access controls, incident response, and compliance certifications. The practice creates a documented baseline of vendor security capabilities and enables risk-based decision-making before establishing business relationships or sharing sensitive data.

Control objective

What auditing this proves

Demonstrate that the organization consistently collects, reviews, and documents security questionnaire responses from all Tier 1 and Tier 2 vendors before contract execution and at defined intervals thereafter.

Associated risks

Risks this control addresses

  • Onboarding vendors with inadequate security controls that fail to protect sensitive organizational data in transit or at rest
  • Supply chain compromise through vendors lacking proper incident detection and response capabilities
  • Regulatory non-compliance when vendors handling regulated data lack required certifications or contractual safeguards
  • Data breach via vendor systems with insufficient access controls, encryption, or monitoring
  • Business disruption when critical vendors lack business continuity plans or redundant infrastructure
  • Unauthorized data access or exfiltration through vendors with weak authentication or privileged access management
  • Reputational damage from vendor security incidents that expose customer data or intellectual property

Testing procedure

How an auditor verifies this control

  1. Obtain the organization's vendor tier classification policy or matrix that defines Tier 1 and Tier 2 vendor criteria based on data sensitivity, criticality, or risk scoring
  2. Request the complete inventory of active Tier 1 and Tier 2 vendors including vendor names, tier assignments, contract dates, and questionnaire due dates
  3. Select a representative sample of 10-15 vendors spanning both tiers, recent onboardings, and established relationships for detailed examination
  4. For each sampled vendor, request the completed security questionnaire (SIG, CAIQ, or custom), submission date, and reviewing personnel documentation
  5. Verify that questionnaires were completed prior to contract execution for new vendors or according to the defined refresh cycle for existing vendors
  6. Review evidence of questionnaire analysis including risk scoring, identified gaps, remediation plans, and approval decisions documented in vendor risk assessments
  7. Interview vendor management or procurement personnel to confirm the questionnaire requirement is enforced consistently and exceptions require documented justification
  8. Cross-reference questionnaire responses against vendor contracts to verify security requirements identified in assessments are reflected in contractual obligations
Evidence required Auditors collect the vendor tier classification policy, complete vendor inventory with tier designations, completed security questionnaires (SIG/CAIQ/custom) for sampled vendors with submission timestamps, vendor risk assessment reports showing questionnaire review and scoring, email correspondence or workflow system records proving questionnaire submission prior to contract execution, and vendor contracts demonstrating security requirements alignment. Additional evidence includes interview notes with procurement or vendor management staff and documentation of exception approval processes for any vendors that did not complete questionnaires.
Pass criteria All sampled Tier 1 and Tier 2 vendors have completed appropriate security questionnaires prior to contract execution or within the defined refresh period, with documented review and risk acceptance by authorized personnel, and no exceptions lacking formal documented justification.