Back to Blog
Compliance5 min read

Vendor Due Diligence: The Questions That Actually Matter

Most vendor security questionnaires miss the point. Here's what to actually ask before giving a third party access to your data.

Most vendor security assessments are theatre.

A vendor sends a completed SIG questionnaire with 400 questions answered, a SOC 2 Type II report, and a signed BAA. The boxes get checked, documents get filed, everyone moves on. Three months later, they have a breach that exposes customer data.

What went wrong? Evidence was collected, but the questions that matter weren't asked.

The Problem with Standard Questionnaires

Standard security questionnaires (SIG, CAIQ, custom 200-question monsters) optimize for breadth, not insight. They ask "Do you have an information security policy?" without asking whether it's followed. They ask about encryption without asking who holds the keys.

The result is that sophisticated vendors with good documentation look great on paper regardless of their actual security posture, while smaller vendors with genuinely strong practices struggle to answer questions designed for enterprises.

What You Actually Need to Know

Before signing with a vendor, you need to understand four things:

1. What's the blast radius?

If this vendor gets breached tomorrow, what's the impact on you?

  • What data will they have access to?
  • Can they move money on your behalf?
  • Could they access your systems or networks?
  • Would their outage stop your business?

A marketing analytics vendor that sees aggregated website traffic is different from a payroll provider with your employees' SSNs and bank accounts. Calibrate your diligence accordingly.

2. How do they actually protect that data?

Skip "Do you have encryption?" and ask:

  • Where specifically will our data be stored?
  • Who can access it, and how is that access controlled?
  • If an employee goes rogue, what would they be able to steal?
  • If someone compromises their cloud account, what would be exposed?
  • When we stop working together, what happens to our data?

These questions reveal operational security, not policy security.

3. What happens when things go wrong?

Every vendor will eventually have an incident. What matters is how they handle it:

  • How would you find out about a breach affecting your data?
  • What's their contractual notification timeline? (If it's not in the contract, it doesn't exist.)
  • Have they had security incidents in the past? How did they respond?
  • Can you get out of the contract if they have a significant breach?

A vendor who admits to past incidents and explains what they learned is more trustworthy than one who claims perfection.

4. What's their dependency chain?

Your vendor probably uses vendors:

  • What cloud providers do they use?
  • Do they use subprocessors for any of your data?
  • What happens to your data if their critical vendor fails?

This matters because you're not just assessing one company—you're assessing their entire supply chain.

The Simplified Due Diligence Process

Here's a practical approach, scaled by risk level:

Low-Risk Vendors

(No access to sensitive data, not critical to operations)

  • Review their security page and any public certifications
  • Confirm they meet basic hygiene (MFA, encryption)
  • Standard contract terms

Medium-Risk Vendors

(Access to internal data, supports but not critical to operations)

  • Request SOC 2 or equivalent
  • Short questionnaire focused on data handling and incident response
  • Contract with breach notification terms

High-Risk Vendors

(Access to sensitive data, critical to operations or compliance)

  • Detailed questionnaire and SOC 2 review
  • Reference calls with similar customers
  • Contract negotiation including audit rights, SLAs, and termination provisions
  • Annual reviews

Critical Vendors

(Direct access to production systems, regulated data, or existential risk)

  • Everything above, plus:
  • On-site or virtual assessment
  • Penetration test results review
  • Executive relationship and escalation paths
  • Documented business continuity and disaster recovery

Red Flags That Should Stop the Deal

These aren't automatic disqualifiers, but they require explanation:

  • No SOC 2 or equivalent for a company handling sensitive data
  • Vague answers about data location or access controls
  • Refusal to sign a DPA or discuss data processing terms
  • Recent breaches with no clear explanation of remediation
  • Heavy reliance on vendors they can't name or describe
  • No incident response plan or unclear breach notification process
  • Unlimited subprocessing rights without customer notification

Track It Simply

You don't need a GRC platform for vendor management. Use what you have:

VendorRisk TierLast ReviewSOC 2 StatusNext Review
Acme PayrollCritical2024-03Current2025-03
Widget AnalyticsLow2024-01N/A2026-01

The discipline of tracking matters more than the tool you use.

The Real Goal

Vendor due diligence isn't about building a paper fortress. It's about understanding your risk exposure and making informed decisions.

Some vendors will have gaps. The question isn't "is this vendor perfect?" It's "do we understand the risk, and are we comfortable accepting it?"

Answer that honestly, and you're doing vendor risk management. Answer it with a rubber-stamped questionnaire, and you're doing compliance theatre.

Need help building a vendor risk management program or assessing critical vendors? Our GRC Advisory services include vendor risk assessment and due diligence support. Let's talk.

Jonathan Carpenter
Jonathan Carpenter
Founder, Anchor Cyber Security
Share:

Want to discuss this topic?

Let's talk about how these insights apply to your organization.

Get in Touch