A buyer-driven set of questions used to assess a vendor’s security, privacy, and risk posture. It is usually tailored to the customer’s concerns and often asks for control descriptions, policy evidence, and operational details that support vendor due diligence.
Expanded Definition
A security questionnaire is not just a list of compliance checks. In practice, it is a structured due diligence instrument used to collect evidence about how a vendor protects data, operates access controls, manages incidents, and governs third-party risk. The buyer defines the scope, so the same term can cover a lightweight intake form, a detailed audit-style assessment, or a risk-specific review tied to a particular service. Guidance varies across organisations because no single standard governs questionnaire design yet, although many teams map questions to recognised control domains such as the NIST Cybersecurity Framework 2.0.
What distinguishes a security questionnaire from a certification claim is its specificity. It asks for current operational detail, not just policy intent. That can include encryption methods, logging retention, subcontractor controls, identity assurance, incident response ownership, and how the vendor handles secrets, tokens, and privileged access. Because responses are buyer-driven, questionnaires often reflect the requester’s internal risk appetite more than an external benchmark. The most common misapplication is treating a completed questionnaire as proof of control effectiveness, which occurs when teams accept narrative answers without validating evidence or testing whether the control actually works in production.
Examples and Use Cases
Implementing security questionnaires rigorously often introduces review overhead and supplier friction, requiring organisations to weigh faster procurement against better risk visibility.
- A financial services buyer sends a detailed questionnaire before onboarding a SaaS platform, asking for encryption, log review, incident notification timelines, and the vendor’s use of NIST Cybersecurity Framework 2.0 functions as a reference point.
- A healthcare organisation requests evidence of access control, data segregation, and subcontractor governance to determine whether the supplier can handle regulated records.
- A procurement team uses a shorter questionnaire for low-risk tools, then expands it when the vendor requests production data access or integration with identity systems.
- A security review of an AI-enabled service includes questions about model training data, logging, prompt handling, human oversight, and whether the vendor can detect unauthorised agent actions.
- A third-party risk team asks for incident response runbooks, customer notification commitments, and proof of policy enforcement rather than relying on marketing statements or self-attestation alone.
Questionnaires are most useful when they are aligned to the service being assessed. A payment processor needs different scrutiny than a collaboration tool, and an API supplier may require deeper questions on key rotation, authentication, and secrets management.
Why It Matters for Security Teams
Security questionnaires matter because they shape how organisations make trust decisions before a breach, outage, or regulatory issue exposes weak vendor governance. When used well, they create a repeatable record of vendor claims, identify gaps in access control and incident readiness, and support proportionate third-party risk management. When used poorly, they become checkbox exercises that generate noise, delay procurement, and miss the actual risks hidden in shared infrastructure, subcontracting chains, or unmanaged privileged access.
For teams dealing with identity-heavy services, questionnaire quality is especially important. Questions about authentication strength, administrator separation, session logging, and service account governance often reveal whether a supplier can safely operate inside a customer environment. The same is true for AI and automation services, where a questionnaire may be the only place to learn how an AI agent is constrained, monitored, and shut down if it acts outside policy. Organisations typically encounter the limits of a security questionnaire only after a supplier incident, data exposure, or failed audit, at which point the questionnaire becomes operationally unavoidable to defend the original risk decision.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.SC-4 | Vendor risk management is core to security questionnaires and third-party due diligence. |
| NIST SP 800-53 Rev 5 | SR-6 | Supply chain controls support evidence requests about vendor security and assurance. |
| ISO/IEC 27001:2022 | A.5.19 | Supplier relationship controls inform how security questionnaires assess vendor governance. |
| NIST AI RMF | Questionnaires increasingly assess AI governance, accountability, and risk management practices. | |
| OWASP Non-Human Identity Top 10 | Identity and secrets handling questions align with NHI governance for vendor services. |
Tie questionnaire content to third-party risk expectations and verify suppliers maintain appropriate controls.
Related resources from NHI Mgmt Group
- Why do AI vendor assessments need more than a standard security questionnaire?
- How should security teams reduce third-party risk questionnaire backlogs?
- Why has identity replaced the network perimeter as the primary security boundary?
- What is phishing-resistant authentication and how does it relate to NHI security?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org