Skip to main content
All CollectionsUpGuard Vendor RiskSecurity questionnaires
What security questionnaires are available in UpGuard's library?
What security questionnaires are available in UpGuard's library?

Learn about what pre-built security questionnaires are available to you as an UpGuard Vendor Risk customer

Abi Tyas Tunggal avatar
Written by Abi Tyas Tunggal
Updated over a week ago

UpGuard Vendor Risk has a broad range of security questionnaires available that can be used to assess organizations across common regulations, standards and frameworks. Questionnaires available in UpGuard's default library include:

Default CyberRisk Questionnaire

Get a comprehensive and in-depth technical assessment of an organization's security controls and posture. By default, this questionnaire has four sections that can be included or excluded when sent to a vendor:

  • Web Application - Metadata, vulnerability reporting and management, HTTPS, authentication and authorisation, common vulnerabilities, testing and monitoring.

  • Infrastructure - Networks, firewalls, wireless networking, VPN/remote network access, servers, hardening and build standards, security updates and vulnerability management, logging, administrative access, backups, email, clients, encryption, technical security testing, third-party penetration testing, security scanning, and in-house security testing and reviews.

  • Physical & Data Center - Office and data center security.

  • Security & Privacy Program - Program details, security controls, security and privacy policies, internal assessments, third-party audits, risk assessment and management, partner security program, change management, security and privacy incident response, personnel security, and background checks.

Web Application Security Questionnaire

Assess an organization’s controls and policies across web application security including metadata, vulnerability reporting and management, HTTPS, authentication and authorization, common vulnerabilities, testing and monitoring. The Web Application Security Questionnaire is included as part of the Default CyberRisk Questionnaire.

Infrastructure Security Questionnaire

Assess an organization’s controls and policies across infrastructure security, including networks, firewalls, wireless networking, VPN/remote network access, servers, hardening and build standards, security updates and vulnerability management, logging, administrative access, backups, email, clients, encryption, technical security testing, third-party penetration testing, security scanning, and in-house security testing and reviews. The Infrastructure Security Questionnaire is included as part of the Default CyberRisk Questionnaire.

Physical and Data Centre Security Questionnaire

Assess the physical security an organization has in place at their office/s and data center security. The Physical and Data Centre Security Questionnaire is included as part of the Default CyberRisk Questionnaire.

Security and Privacy Program Questionnaire

Assess an organization’s controls and policies of their security and privacy program including: security controls, security and privacy policies, internal assessments, third-party audits, risk assessment and management, partner security program, change management, security and privacy incident response, personnel security, and background checks. The Security and Privacy Program Questionnaire is included as part of the Default CyberRisk Questionnaire.

Multi-Framework Questionnaire

Get a thorough evaluation of an organization's security posture and practices, mapped to the full set of security controls of the ISO 27001:2022 standard and the NIST CSF 2.0 framework. This dual standard approach offers a holistic view of a third party’s security posture, ensures robust incident response and recovery plans, and demonstrates a commitment to high security standards.

Short Form Questionnaire

A condensed version of the CyberRisk Questionnaire, designed to be sent to smaller organizations. It focuses on the information security risks smaller organizations are typically exposed to, such as their backup process and email security concerns, while avoiding areas where small organizations are typically less mature (such as their information security policy framework).

ISO 27001:2022 Questionnaire

Get a comprehensive assessment of an organization's security posture and identify risks mapped against the 2022 version of the ISO 27001 standard. The ISO 27001:2022 questionnaire also covers all relevant controls of the APRA CPS 234 requirements.

ISO 27001:2013 Questionnaire

Assess an organization's security posture against the 2013 version of the ISO 27001 standard. It provides a comprehensive assessment of an organization's security posture, and identifies risks that are mapped against the ISO 27001:2013 standard. This questionnaire also covers all relevant controls of the APRA CPS 234 requirements.

NIST Cybersecurity Framework Questionnaire

Evaluate the compliance of an organization with the standards in the NIST Cybersecurity Framework (CSF) version 1.0. This comprehensive questionnaire covers key areas of cybersecurity, including identification, protection, detection, response, and recovery, ensuring that vendors meet the necessary security controls and practices.

Standardized Information Gathering (SIG) Lite questionnaire

Developed by shared assessments SIG provides a comprehensive set of questions for assessing third-party risks. SIG Lite includes 126 questions for a high-level security overview across 19 domains.

Essential Eight Questionnaire

Evaluate an organization's compliance with the requirements of the Essential Eight framework. The Australian Cyber Security Center (ACSC) developed the Essential Eight in 2017 to protect Microsoft Windows-based internet-connected networks. The eight mitigation strategies include: Application Control, Patch Applications, Configure Microsoft Office macro settings, User application hardening, Restrict Administrative privileges, Patch operating systems, Multi-factor authentication and Regular backups.

PCI DSS Questionnaire

Assess an organization's compliance with the Payment Card Industry Data Security Standard (PCI DSS). This questionnaire examines key security requirements, including the protection of cardholder data, implementation of strong access control measures, regular monitoring and testing of networks, and maintaining information security policies.

Modern Slavery Questionnaire

Evaluate an organization's compliance with the Modern Slavery Act. This legislation aims to combat modern slavery and human trafficking. The questionnaire assesses the organization's policies, practices, and procedures to ensure they are actively preventing forced labour, human trafficking, and exploitation within their operations and supply chains. This questionnaire aligns with the Australian and UK Modern Slavery Act.

The main difference between the Australian and UK legislation is that the level of obligation differs significantly. The UK legislation provides its guidance on what organizations “should aim to include” in their Modern Slavery Statement in the form of suggestions, the Australian law takes a stronger line and sets out clearly more mandatory reporting criteria.

California Consumer Privacy Act (CCPA) Questionnaire

Assess an organization's compliance with the personal information disclosure requirements outlined in CCPA. The California Consumer Privacy Act requires most companies with California-based assets or customers to make new disclosures about the type of personal information you’re collecting and how it is used. It also gives California residents new rights around their personal information.

ISA 62443-2-1:2009 Security Standard Questionnaire

Assess an organization's adherence to the ISA 62443-2-1:2009 standard. This standard, developed by the International Society of Automation (ISA), provides guidelines for establishing and maintaining an industrial automation and control systems (IACS) security management system. The questionnaire ensures that vendors implement the necessary policies, procedures, and practices to protect IACS from cybersecurity threats, thereby ensuring the safety and reliability of industrial operations.

ISA 62443-3-3:2013 Security Standard Questionnaire

Assess an organization's compliance with the ISA62443-3-3:2013 standard. This standard, established by the International Society of Automation (ISA), provides detailed technical security requirements for industrial automation and control systems (IACS). The questionnaire ensures that vendors implement the necessary security capabilities to protect IACS against cybersecurity threats, focusing on aspects such as system integrity, confidentiality, and availability.

GDPR Security Standard Questionnaire

Evaluate an organization's compliance with the European Union's General Data Protection Regulation (GDPR). This regulation, enforced by the European Union, sets strict guidelines for the collection, processing, and storage of personal data. The questionnaire assesses the vendor's adherence to GDPR's requirements, ensuring they implement the necessary measures to protect personal data, uphold data subjects' rights, and maintain data privacy and security throughout their operations.

CIS Controls 7.1 Security Standard Questionnaire

Assess an organization's implementation of the CIS Controls 7.1. Developed by the Center for Internet Security (CIS), this standard provides a prioritized set of actions to mitigate the most common cyber attacks. The questionnaire evaluates the vendor's adherence to these best practices, ensuring they have robust security measures in place to protect against threats, enhance their cybersecurity posture, and safeguard critical assets and data.

NIST SP 800-53 Rev. 4 Security Standard Questionnaire

Evaluate an organization's compliance with the NIST SP 800-53 Rev.4 standard. This standard, developed by the National Institute of Standards and Technology (NIST), provides a comprehensive set of security and privacy controls for federal information systems and organizations. The questionnaire assesses the vendor's implementation of these controls, ensuring they meet the stringent requirements necessary to protect sensitive information and maintain the integrity, confidentiality, and availability of information systems.

COBIT 5 Security Standard Questionnaire

Assess an organization's alignment with the Control Objectives for Information and Related Technologies (COBIT) 5 framework. COBIT 5, developed by ISACA, provides a comprehensive framework for the governance and management of enterprise IT. The questionnaire evaluates how well vendors implement COBIT 5's principles, practices, and analytical tools to ensure effective decision-making, resource management, and risk mitigation in their IT operations, thereby supporting the organization's overall governance objectives.

Health Insurance Portability and Accountability Act (HIPAA) Questionnaire

Evaluate an organization's compliance to the Health Insurance Portability and Accountability Act (HIPAA). Compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR). HIPAA establishes national standards for the protection of sensitive patient health information. HIPAA contains requirements for safeguarding medical data, ensuring privacy, and implementing necessary administrative, physical, and technical safeguards to prevent unauthorized access and breaches of protected health information (PHI).

Higher Education Community Vendor Assessment Tool (HECVAT) Full and Lite Questionnaires

Evaluate an organization's compliance against the Higher Education Community Vendor Assessment Toolkit (HECVAT). To protect the Institution and its systems, vendors whose products and/or services will access and/or host institutional data must complete the HECVAT.

  • The HECVAT Full covers all questions for the most critical data-sharing engagements and is intended for use by vendors participating in a Third Party Security Assessment.

  • The HECVAT Lite is a lightweight version of the Full version and is typically used for an expedited or less-critical process

Pandemic Questionnaires

Designed to help you assess how your vendor will handle a pandemic including the impacts on supply chain, continuation of services, legal obligations, HR implications and much more.

SolarWinds Questionnaire
Review an organization's use and management of SolarWinds products and services.

The SolarWinds supply chain compromise, discovered in April 2021, involved cyber attackers inserting malicious code into the SolarWinds' Orion software, which was then distributed to thousands of organizations, including government agencies and private companies. This breach allowed attackers to access sensitive data and networks, highlighting significant weaknesses in supply chain security and the need for improved cybersecurity measures.

Kaseya Questionnaire

To help you determine if you or your vendors were exposed to the sophisticated supply chain ransomware attack that affected Kaseya.

The Kaseya VSA supply-chain ransomware attack in July 2021 involved cybercriminals exploiting vulnerabilities in Kaseya's VSA software to distribute REvil ransomware to managed service providers (MSPs) and their customers, affecting thousands of businesses worldwide.

Apache Log4J - Critical Vulnerability Questionnaire

Determine if third-party vendors are using software or cloud services impacted by the Log4j vulnerability, either directly or via supply chains.

Discovered in December 2021, this vulnerability exposed a critical flaw in the widely used logging library, allowing attackers to execute arbitrary code on affected systems. This severe security issue, known as Log4Shell, impacted millions of applications and services globally, prompting urgent mitigation efforts across the tech industry.

Related Articles
How to send security questionnaires in UpGuard Vendor Risk
What details can UpGuard Vendor Risk provide about a vendor?
What is the difference between UpGuard Vendor Risk and UpGuard BreachSight?
What is a Security Questionnaire?
How to use vendor relationship questionnaires in UpGuard
Did this answer your question?