VENDOR SECURITY QUESTIONNAIRE AND TPRM ASSESSMENT TEMPLATE

Vendor Intake · Data Scope · Control Evidence · Residual Risk · Approval


Document ID	CERG-TMPL-TPRM-001
Version	1.1
Status	Approved
Classification	Public
Owner	Vendor Risk Analyst
Parent Document	`CERG-PRC-TPRM-001` - Third-Party and Supply Chain Risk Procedure
Supporting Documents	`CERG-PRC-TPRM-001` · `CERG-PLN-PRIV-001`
Review Cycle	Annual / On process or control change
Frameworks	NIST CSF 2.0 GV.SC · NIST 800-53r5 SR · ISO/IEC 27001 A.5.19 through A.5.23
Regulations	Cross-cutting; privacy, CUI, SOX, and contractual obligations where applicable
Environments	All in-scope CERG environments where this template is used

Purpose and Use
Template Instructions
Fill-In Template
Review and Approval
Document Control

1. Purpose and Use

This template captures vendor security intake, questionnaire responses, evidence review, risk rating, required remediation, and approval. It is designed to support repeatable third-party and supply-chain risk decisions without forcing every vendor into the same depth of review.

Vendor Risk Is Inherited Only If Conditions Hold

A SOC 2 report or ISO certificate is not a blanket pass. Reliance depends on the service scope, data processed, subprocessor chain, control exceptions, and the customer responsibilities the organization must actually perform.

2. Template Instructions

Copy this template before use.
Replace every bracketed field with case-specific information.
Do not delete fields that appear not applicable. Mark them Not Applicable and explain why.
Use canonical CERG role names from CERG-GOV-OM-001.
Link risks, findings, exceptions, evidence, and approvals to the system of record.
Store the completed artifact in the evidence library governed by CERG-PRC-AUD-001.

3. Fill-In Template

3.1 Vendor Intake

Field	Value
Vendor Name	`[Name]`
Service Name	`[Service]`
Business Owner	`[Owner]`
Vendor Risk Analyst	`[Name]`
Contract Stage	`[Prospect / Renewal / Existing / Termination]`
Service Criticality	`[Critical / High / Moderate / Low]`
Data Classification	`[Highest classification]`
Personal Data	`[Yes / No]`
CUI / Regulated Data	`[Yes / No / Details]`

3.2 Questionnaire

Question	Vendor Response	Evidence Required	Reviewer Notes
Does the vendor maintain a security program?	`[Response]`	`[SOC 2 / ISO / policy]`	`[Notes]`
Is MFA required for administrative access?	`[Response]`	`[Config / policy]`	`[Notes]`
Is data encrypted in transit and at rest?	`[Response]`	`[Evidence]`	`[Notes]`
Are vulnerabilities managed with defined SLAs?	`[Response]`	`[Report / policy]`	`[Notes]`
Are incidents reported within contractual timelines?	`[Response]`	`[Contract / policy]`	`[Notes]`
Are subprocessors disclosed?	`[Response]`	`[List]`	`[Notes]`
Is deletion or return supported at termination?	`[Response]`	`[Terms / procedure]`	`[Notes]`

3.3 Risk Decision

Area	Rating / Decision	Rationale
Inherent vendor risk	`[Low / Medium / High / Critical]`	`[Rationale]`
Control evidence quality	`[Strong / Adequate / Weak / None]`	`[Rationale]`
Residual vendor risk	`[Low / Medium / High / Critical]`	`[Rationale]`
Required remediation	`[Actions]`	`[Owner and due date]`
Approval decision	`[Approve / approve with conditions / reject / defer]`	`[Rationale]`

3.4 Business Decision Box

Decision Question	Business Owner Response
What business capability depends on this vendor?	`[Capability and priority]`
What decision is being requested?	`[Proceed / proceed with conditions / renew / defer / reject / terminate]`
What alternatives were considered?	`[Alternative vendors / internal option / delay / no action]`
What vendor risk conditions must the business fund or enforce?	`[Contract clause / remediation / compensating control / monitoring]`
What happens if the vendor is not approved or renewal is delayed?	`[Operational, financial, regulatory, or customer consequence]`
Who owns vendor-risk conditions after approval?	`[Business owner and technical owner]`

4. Review and Approval

Reviewer / Approver	Review Meaning	Name / Date
Vendor Risk Analyst	Completes assessment and recommended decision.	`[Name / Date]`
Business Owner	Accepts business need, owns vendor conditions, and confirms whether to proceed, defer, reject, or terminate.	`[Name / Date]`
Risk Pillar Leader	Approves vendor residual-risk treatment.	`[Name / Date]`
Chief Information Security Officer (CISO)	Approves High or Critical vendor risk acceptance where required.	`[Name / Date]`

Completed templates are reviewed at the cadence defined by their parent procedure or plan. Material changes require a new review.

5. Document Control

Field	Value
Document ID	CERG-TMPL-TPRM-001
Version	1.1
Status	Approved
Effective Date	2026-05-22
Classification	Public
Owner	Vendor Risk Analyst
Approved By	CISO
Parent Document	`CERG-PRC-TPRM-001` - Third-Party and Supply Chain Risk Procedure
Review Cycle	Annual; and on process or control change
Next Scheduled Review	2027-05-22
Frameworks	NIST CSF 2.0 GV.SC · NIST 800-53r5 SR · ISO/IEC 27001 A.5.19 through A.5.23
Regulations	Cross-cutting; privacy, CUI, SOX, and contractual obligations where applicable
Environments	All in-scope CERG environments where this template is used

Revision History

Version	Date	Author	Change Summary
1.1	2026-06-18	Vendor Risk Analyst	Added business-facing decision box and Business Owner review line for vendor proceed/defer/reject decisions and post-approval conditions.
1.0	2026-05-22	Cyber Governance	Initial release. Establishes a standalone fill-in template for vendor security questionnaire and TPRM assessment template.

Review Triggers

Parent procedure or plan change
Audit, assessment, or tabletop finding related to this template
Role or approval model change
Direction from the CISO

Document	ID	Relationship
Third-Party and Supply Chain Risk Procedure	`CERG-PRC-TPRM-001`	Governing procedure
Privacy and Data Protection Operational Package	`CERG-PLN-PRIV-001`	Privacy vendor evidence interface

Source: templates/CERG-TMPL-TPRM-001_Vendor_Security_Questionnaire_and_Assessment_Template.md · Download .md · View on GitHub