Security, Risk, Privacy, Leadership & More...

It is quite common to use checklists in a form of standardized questionnaires for vendor assessments, you've probably heard of SIG and CSA for example. These are some good ways for retrieving information from third parties. I believe that processes like this are necessary, because if security professionals start crafting questions from scratch every time there is a new project, then we will end up dedicating our time to repetitive (what I like to call "Robotic") tasks, will definitely forget questions that we should have asked and thus will not have enough information for properly assessing risks. Many market leading companies are using these checklists, but the worrying part of the story is that those checklists are used as is. Unfortunately nobody is trying to customize questions to suite a respondent company or a project and only few companies ask additional questions or customize them. Also often, single topic may be covered multiple times with multiple questions and this is a very boring experience.

Here are suggestions for crafting simple, understandable and result oriented information security & risk assessment questionnaires.


If you find this content useful, feel free to share it with your friends and family. Owls love humans, so if you want to keep in touch make sure to sign up for CypherOwl Newsletter. Let me know what you think from the comments section below.

You've successfully subscribed to CypherOwl
Welcome back! You've successfully signed in.
Great! You've successfully signed up.
Success! Your account is fully activated, you now have access to all content.