It is quite common to use checklists in a form of standardized questionnaires for vendor assessments, you've probably heard of SIG and CSA for example. These are some good ways for retrieving information from third parties. I believe that processes like this are necessary, because if security professionals start crafting questions from scratch every time there is a new project, then we will end up dedicating our time to repetitive (what I like to call "Robotic") tasks, will definitely forget questions that we should have asked and thus will not have enough information for properly assessing risks. Many market leading companies are using these checklists, but the worrying part of the story is that those checklists are used as is. Unfortunately nobody is trying to customize questions to suite a respondent company or a project and only few companies ask additional questions or customize them. Also often, single topic may be covered multiple times with multiple questions and this is a very boring experience.
Here are suggestions for crafting simple, understandable and result oriented information security & risk assessment questionnaires.
Subscribe to CypherOwl
Get the latest posts delivered right to your inbox