Learn about what pre-built security questionnaires are available to you as an UpGuard Vendor Risk customer
Written by Abi Tyas TunggalUpGuard Vendor Risk has a broad range of security questionnaires available that can be used to assess organizations across common regulations, standards and frameworks. Questionnaires available in UpGuard's default library include:
Default CyberRisk Questionnaire
Get a comprehensive and in-depth technical assessment of an organization's security controls and posture. By default, this questionnaire has four sections that can be included or excluded when sent to a vendor:
- Web Application - Metadata, vulnerability reporting and management, HTTPS, authentication and authorisation, common vulnerabilities, testing and monitoring.
- Infrastructure - Networks, firewalls, wireless networking, VPN/remote network access, servers, hardening and build standards, security updates and vulnerability management, logging, administrative access, backups, email, clients, encryption, technical security testing, third-party penetration testing, security scanning, and in-house security testing and reviews.
- Physical & Data Center - Office and data center security.
- Security & Privacy Program - Program details, security controls, security and privacy policies, internal assessments, third-party audits, risk assessment and management, partner security program, change management, security and privacy incident response, personnel security, and background checks.
Multi-Framework Questionnaire (ISO27001 & NIST CSF)
Get a thorough evaluation of an organization's security posture and practices, mapped to the full set of security controls of the ISO 27001:2022 standard and the NIST CSF 2.0 framework. This dual standard approach offers a holistic view of a third party’s security posture, ensures robust incident response and recovery plans, and demonstrates a commitment to high-security standards.
Short Form Questionnaire
A condensed version of the CyberRisk Questionnaire, designed to be sent to smaller organizations. It focuses on the information security risks smaller organizations are typically exposed to, such as their backup process and email security concerns, while avoiding areas where small organizations are typically less mature (such as their information security policy framework).
ISO 27001:2022
Get a comprehensive assessment of an organization's security posture and identify risks mapped against the 2022 version of the ISO 27001 standard. The ISO 27001:2022 questionnaire also covers all relevant controls of the APRA CPS 234 requirements.
ISO 27001:2013
Assess an organization's security posture against the 2013 version of the ISO 27001 standard. It provides a comprehensive assessment of an organization's security posture, and identifies risks that are mapped against the ISO 27001:2013 standard. This questionnaire also covers all relevant controls of the APRA CPS 234 requirements.
NIST Cybersecurity Framework (CSF) 2.0
Assess an organization's compliance with the standards in the NIST Cybersecurity Framework (CSF) v2.0. This questionnaire comprehensively maps to the six functions of NIST CSF 2.0 which cover governance, identification, protection, detection, response, and recovery, ensuring that vendors meet the necessary security controls and practices.
NIST AI Risk Management Framework (AI RMF) 1.0
Evaluate an organization's alignment with the NIST AI RMF, which provides a structured approach to managing risks associated with AI systems. This questionnaire addresses the key functions of the AI RMF, including governing, mapping, measuring, and managing AI systems and risks, ensuring that vendors adhere to best practices in AI governance and operational management.
NIST CSF 1.0
Evaluate the compliance of an organization with the standards in the NIST Cybersecurity Framework (CSF) version 1.0. This comprehensive questionnaire covers key areas of cybersecurity, including identification, protection, detection, response, and recovery, ensuring that vendors meet the necessary security controls and practices.
SIG Core 2025 (Standardized Information Gathering)
Evaluate an organization using the Standardized Information Gathering (SIG) Core questionnaire, covering 21 risk domains including enterprise risk management, Nth party management, information assurance, asset and information management, HR security, physical and environmental security, IT operations management, access control, application management, incident management, operational resilience, compliance management, endpoint security, network security, ESG, privacy management, AI, supply chain risk, threat management, server security, and cloud services. This questionnaire, including all questions, risk statements, control statements, and objectives, is copyrighted by Shared Assessments LLC.
SIG Lite 2025
Gain a high-level understanding of a third party’s information security controls using this streamlined version of the SIG Core, with questions for program-level assessment across all of the same categories. This questionnaire (including all questions, risk statements, and control statements and objectives) is copyrighted by Shared Assessments LLC.
ASD Essential Eight
Evaluate an organization's compliance with the requirements of the Essential Eight framework. The Australian Cyber Security Center (ACSC) developed the Essential Eight in 2017 to protect Microsoft Windows-based internet-connected networks. The eight mitigation strategies include: Application Control, Patch Applications, Configure Microsoft Office macro settings, User application hardening, Restrict Administrative privileges, Patch operating systems, Multi-factor authentication and Regular backups.
Prudential Standard CPS 230 Operational Risk Management
Evaluate an organization's adherence to the Australian Prudential Regulation Authority's (APRA) Prudential Standard CPS 230 Operational Risk Management. CPS 230 ensures that APRA-regulated entities effectively manage operational risks to maintain the resilience of critical operations. This questionnaire covers all of the requirements for APRA-regulated entities including key principles, risk management framework, roles and responsibilities, operational risk management, business continuity, and service provider arrangements.
NIS 2 Supplier Due Diligence Questionnaire
Assess a vendor’s security controls to ensure alignment with the compliance requirements of the NIS 2 Directive, which provides a standardized cybersecurity framework across the EU. This questionnaire integrates controls from ISO 27001:2022 and NIST CSF 2.0, addressing key areas such as risk management, incident reporting, supply chain security, and governance. It is designed to evaluate vendor practices to align with your NIS 2 supplier risk management obligations, supporting strong cybersecurity measures and enhancing operational resilience.
Digital Operational Resilience Act (DORA)
Evaluate an organization's adherence to the Digital Operational Resilience Act (DORA) and their operational resilience in the face of digital disruptions. This questionnaire dynamically covers all relevant aspects of DORA pending on the type of entity, including ICT risk management, incident reporting, digital operational resilience testing, and third-party risk management, ensuring that financial entities can withstand, respond to, and recover from all types of ICT-related disruptions.
PCI DSS v3.2.1
Assess an organization's compliance with the Payment Card Industry Data Security Standard (PCI DSS). This questionnaire examines key security requirements, including the protection of cardholder data, implementation of strong access control measures, regular monitoring and testing of networks, and maintaining information security policies.
Modern Slavery
Evaluate an organization's compliance with the Modern Slavery Act. This legislation aims to combat modern slavery and human trafficking. The questionnaire assesses the organization's policies, practices, and procedures to ensure they are actively preventing forced labour, human trafficking, and exploitation within their operations and supply chains. This questionnaire aligns with the Australian and UK Modern Slavery Act.
The main difference between the Australian and UK legislation is that the level of obligation differs significantly. The UK legislation provides its guidance on what organizations “should aim to include” in their Modern Slavery Statement in the form of suggestions, the Australian law takes a stronger line and sets out clearly more mandatory reporting criteria.
Digital Personal Data Protection Act, 2023 (DPDP)
Evaluate an organization's compliance with the Digital Personal Data Protection Act, 2023. The DPDP Act is a legislative framework designed to protect the privacy of individuals' personal data by regulating its collection, processing, and storage by organizations in India. This questionnaire covers all sections of compliance for a third party organization.
California Consumer Privacy Act (CCPA)
Assess an organization's compliance with the personal information disclosure requirements outlined in CCPA. The California Consumer Privacy Act requires most companies with California-based assets or customers to make new disclosures about the type of personal information you’re collecting and how it is used. It also gives California residents new rights around their personal information.
ISA 62443-2-1:2009 Security Standard
Assess an organization's adherence to the ISA 62443-2-1:2009 standard. This standard, developed by the International Society of Automation (ISA), provides guidelines for establishing and maintaining an industrial automation and control systems (IACS) security management system. The questionnaire ensures that vendors implement the necessary policies, procedures, and practices to protect IACS from cybersecurity threats, thereby ensuring the safety and reliability of industrial operations.
ISA 62443-3-3:2013 Security Standard
Assess an organization's compliance with the ISA62443-3-3:2013 standard. This standard, established by the International Society of Automation (ISA), provides detailed technical security requirements for industrial automation and control systems (IACS). The questionnaire ensures that vendors implement the necessary security capabilities to protect IACS against cybersecurity threats, focusing on aspects such as system integrity, confidentiality, and availability.
GDPR Security Standard
Evaluate an organization's compliance with the European Union's General Data Protection Regulation (GDPR). This regulation, enforced by the European Union, sets strict guidelines for the collection, processing, and storage of personal data. The questionnaire assesses the vendor's adherence to GDPR's requirements, ensuring they implement the necessary measures to protect personal data, uphold data subjects' rights, and maintain data privacy and security throughout their operations.
CIS Controls 7.1 Security Standard
Assess an organization's implementation of the CIS Controls 7.1. Developed by the Center for Internet Security (CIS), this standard provides a prioritized set of actions to mitigate the most common cyber attacks. The questionnaire evaluates the vendor's adherence to these best practices, ensuring they have robust security measures in place to protect against threats, enhance their cybersecurity posture, and safeguard critical assets and data.
NIST SP 800-53 Rev. 4 Security Standard
Evaluate an organization's compliance with the NIST SP 800-53 Rev.4 standard. This standard, developed by the National Institute of Standards and Technology (NIST), provides a comprehensive set of security and privacy controls for federal information systems and organizations. The questionnaire assesses the vendor's implementation of these controls, ensuring they meet the stringent requirements necessary to protect sensitive information and maintain the integrity, confidentiality, and availability of information systems.
COBIT 5 Security Standard
Assess an organization's alignment with the Control Objectives for Information and Related Technologies (COBIT) 5 framework. COBIT 5, developed by ISACA, provides a comprehensive framework for the governance and management of enterprise IT. The questionnaire evaluates how well vendors implement COBIT 5's principles, practices, and analytical tools to ensure effective decision-making, resource management, and risk mitigation in their IT operations, thereby supporting the organization's overall governance objectives.
Health Insurance Portability and Accountability Act (HIPAA)
Evaluate an organization's compliance to the Health Insurance Portability and Accountability Act (HIPAA). Compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR). HIPAA establishes national standards for the protection of sensitive patient health information. HIPAA contains requirements for safeguarding medical data, ensuring privacy, and implementing necessary administrative, physical, and technical safeguards to prevent unauthorized access and breaches of protected health information (PHI).
Higher Education Community Vendor Assessment Tool (HECVAT) Full and Lite
Evaluate an organization's compliance against the Higher Education Community Vendor Assessment Toolkit (HECVAT). To protect the Institution and its systems, vendors whose products and/or services will access and/or host institutional data must complete the HECVAT.
The HECVAT Full covers all questions for the most critical data-sharing engagements and is intended for use by vendors participating in a Third Party Security Assessment.
The HECVAT Lite is a lightweight version of the Full version and is typically used for an expedited or less-critical process
The HECVAT Full covers all questions for the most critical data-sharing engagements and is intended for use by vendors participating in a Third Party Security Assessment.
The HECVAT Lite is a lightweight version of the Full version and is typically used for an expedited or less-critical process.
Anatomy of a Cloud
Use the security requirements and cloud guidance detailed in the Australian Attorney-General’s Department’s Protective Security Policy Framework (PSPF), the Australian Government Information Security Manual (ISM), and the Digital Transformation Agency (DTA)’s Secure Cloud Strategy to evaluate cloud computing security risks.
This questionnaire addresses controls across security roles, incidents, outsourcing, security documentation, physical security, personnel security, communications infrastructure, communications systems, enterprise mobility, evaluated products, ICT equipment, media, system hardening, management and monitoring, software development, database systems, email, networking, cryptography, gateways, and data transfers.
Web Application Security Questionnaire
Assess an organization’s controls and policies across web application security including metadata, vulnerability reporting and management, HTTPS, authentication and authorization, common vulnerabilities, testing and monitoring. The Web Application Security Questionnaire is included as part of the Default CyberRisk Questionnaire.
Infrastructure Security Questionnaire
Assess an organization’s controls and policies across infrastructure security, including networks, firewalls, wireless networking, VPN/remote network access, servers, hardening and build standards, security updates and vulnerability management, logging, administrative access, backups, email, clients, encryption, technical security testing, third-party penetration testing, security scanning, and in-house security testing and reviews. The Infrastructure Security Questionnaire is included as part of the Default CyberRisk Questionnaire.
Physical and Data Centre Security Questionnaire
Assess the physical security an organization has in place at its office/s and data center security. The Physical and Data Centre Security Questionnaire is included as part of the Default CyberRisk Questionnaire.
Security and Privacy Program Questionnaire
Assess an organization’s controls and policies of their security and privacy program including security controls, security and privacy policies, internal assessments, third-party audits, risk assessment and management, partner security program, change management, security and privacy incident response, personnel security, and background checks. The Security and Privacy Program Questionnaire is included as part of the Default CyberRisk Questionnaire.
Pandemic Questionnaires
Designed to help you assess how your vendor will handle a pandemic including the impacts on supply chain, continuation of services, legal obligations, HR implications and much more.
SolarWinds Questionnaire
Review an organization's use and management of SolarWinds products and services.
The SolarWinds supply chain compromise, discovered in April 2021, involved cyber attackers inserting malicious code into the SolarWinds' Orion software, which was then distributed to thousands of organizations, including government agencies and private companies. This breach allowed attackers to access sensitive data and networks, highlighting significant weaknesses in supply chain security and the need for improved cybersecurity measures.
Kaseya Questionnaire
To help you determine if you or your vendors were exposed to the sophisticated supply chain ransomware attack that affected Kaseya.
The Kaseya VSA supply-chain ransomware attack in July 2021 involved cybercriminals exploiting vulnerabilities in Kaseya's VSA software to distribute REvil ransomware to managed service providers (MSPs) and their customers, affecting thousands of businesses worldwide.
Apache Log4J - Critical Vulnerability Questionnaire
Determine if third-party vendors are using software or cloud services impacted by the Log4j vulnerability, either directly or via supply chains.
Discovered in December 2021, this vulnerability exposed a critical flaw in the widely used logging library, allowing attackers to execute arbitrary code on affected systems. This severe security issue, known as Log4Shell, impacted millions of applications and services globally, prompting urgent mitigation efforts across the tech industry.