Supplier Assessment with Security Questionnaires: Template and Approach

Why You Must Assess Your Suppliers

Your company's security doesn't end at your firewall. Every external IT service provider with access to your systems, every cloud vendor processing your data, and every supplier whose software you use is a potential entry point for attackers. The supply chain attacks of recent years have demonstrated this dramatically: SolarWinds, Kaseya, MOVEit, 3CX. In each of these cases, it wasn't the companies themselves that were attacked but their suppliers — and the damage hit thousands of customers.

NIS2 has responded to this. Article 21(2) No. 4 explicitly requires affected companies to address "security of the supply chain, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers." This sounds abstract but means three concrete obligations in practice: you must know which suppliers are security-relevant. You must assess their security level. And you must contractually anchor security requirements.

Even without an NIS2 obligation, supplier assessment is a standard component of any ISMS under ISO 27001. Control A.5.19 (Information security in supplier relationships) and A.5.20 from ISO 27001 (Addressing information security within supplier agreements) address exactly this topic.

Criticality Levels: Not Every Supplier Is Equally Important

Before you send out a questionnaire, you must classify your suppliers. A company with 100 employees easily has 50 to 100 external service providers and suppliers. Assessing all of them with the same effort would be neither practical nor sensible. The solution: criticality levels.

Level A: Critical Suppliers

Level A suppliers have direct access to your IT systems or process confidential data on your behalf. Typical examples are the managed service provider (MSP) who administers your servers, the cloud vendor hosting your ERP or CRM, the external IT security provider with access to your SIEM or firewall, the payroll service provider processing personnel data, and the vendor of your industry software if it's operated as SaaS.

For Level A suppliers, the full depth of assessment applies: comprehensive security questionnaire, review of certifications and audit reports, contractual security clauses, and annual reassessment.

Level B: Important Suppliers

Level B suppliers have no direct system access but are relevant to business operations or process less sensitive data. These include standard software providers (licenses, updates), telecommunications providers, hardware suppliers, facility management service providers with access to server rooms, and external consultants with project-based data access.

For Level B suppliers, an abbreviated questionnaire or review of existing certifications is sufficient. Reassessment occurs every two years or on an ad-hoc basis.

Level C: Non-Critical Suppliers

Level C suppliers have no access to IT systems or data and are not immediately critical to business operations. These are office supply providers, beverage suppliers, cleaning service providers without access to secured areas, and similar.

No security assessment is required for Level C suppliers. Simple registration in the supplier register suffices.

How Do You Classify?

Three questions help with classification: Does the supplier have access to your IT systems or networks? Does the supplier process confidential or personal data on your behalf? Would a failure of the supplier be business-critical (could your company not operate within 48 hours without them)?

If you answer at least one of these questions with yes, the supplier is at least Level B. If two or three questions are answered with yes, it's Level A.

The Security Questionnaire: 35 Questions in 7 Categories

The following questionnaire is designed for Level A suppliers. For Level B suppliers, you can omit the questions marked with an asterisk (*) to reduce scope.

Each question has three possible answers: Yes (fully implemented), Partially (in implementation or only partially implemented), and No (not implemented). For "Yes" and "Partially," the supplier should provide a brief explanation or evidence.

Category 1: Organization and Governance (5 Questions)

1.1 Does your company have a documented information security management system (ISMS)?

1.2 Is there a designated information security officer (ISO) or comparable role?

1.3 Are employees trained regularly (at least annually) on information security and data privacy?

1.4 Does your company have a current information security policy approved by executive management?

1.5* Is your ISMS regularly reviewed through internal or external audits?

Category 2: Access Management (6 Questions)

2.1 Is access to systems and data governed by the least-privilege principle?

2.2 Is multi-factor authentication (MFA) used for access to critical systems and remote connections?

2.3 Is there a documented process for creating, modifying, and deleting user accounts (user lifecycle management)?

2.4 Are permissions reviewed regularly (at least annually) and adjusted as needed?

2.5 Is administrative access to systems separately secured (e.g., through Privileged Access Management)?

2.6* Are shared accounts avoided and is every access attributable to an individual?

Category 3: Network Security (5 Questions)

3.1 Is your network segmented into security zones (e.g., DMZ, internal network, management network)?

3.2 Are firewalls deployed at all network boundaries and are rulesets reviewed regularly?

3.3 Are systems and applications regularly patched with security updates (patch management)?

3.4 Are vulnerability scans or penetration tests conducted regularly?

3.5* Are remote connections provided exclusively via encrypted connections (VPN, SSH) with MFA?

Category 4: Data Protection and Data Security (5 Questions)

4.1 Are personal and confidential data encrypted during transmission (e.g., TLS 1.2+)?

4.2 Are personal and confidential data encrypted at rest?

4.3 Is there a documented deletion concept ensuring data is securely deleted after contract end or expiry of the retention period?

4.4 Is the processing of personal data governed by a data processing agreement (DPA) pursuant to Art. 28 GDPR?

4.5* Is data processed exclusively in data centers within the EU/EEA? If not: what safeguards exist for third-country transfers?

Category 5: Incident Management (5 Questions)

5.1 Is there a documented incident response plan for security incidents?

5.2 Is the client notified immediately (within 24 hours) of security incidents affecting their data or systems?

5.3 Are security incidents systematically recorded, analyzed, and processed with lessons learned?

5.4 Is there a 24/7 emergency team or a defined escalation path for critical security incidents?

5.5* Are exercises or simulations of security incidents conducted regularly (at least annually)?

Category 6: Business Continuity Management (5 Questions)

6.1 Is there a documented data backup concept with regular backups?

6.2 Are restore tests conducted regularly (at least quarterly) and documented?

6.3 Does a business continuity plan exist that governs the continuation of critical services during an outage?

6.4 Are Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) defined for the services you provide and communicated to the client?

6.5* Does your data center have redundant power supply (UPS, generator) and climate control?

Category 7: Compliance and Certifications (4 Questions)

7.1 Does your company hold an ISO 27001 certification or comparable security certification (SOC 2 Type II, BSI C5, TISAX)?

7.2 Is compliance with relevant legal requirements (GDPR, NIS2, industry-specific regulations) regularly reviewed?

7.3 Are subcontractors involved in service delivery assessed regarding their information security?

7.4* Are you prepared to provide audit reports, certificates, or test results to the client upon request?

Evaluation and Scoring

A questionnaire without a clear evaluation methodology leads to subjective gut decisions. That's why you need a transparent scoring system.

Point Allocation

Each question is rated with 0, 1, or 2 points. "Yes" with verifiable evidence earns 2 points. "Partially" with a plausible implementation plan earns 1 point. "No" without planning earns 0 points.

The maximum score is 70 (35 questions x 2 points). For Level B suppliers using the abbreviated questionnaire (26 questions without those marked with asterisks), the maximum is 52 points.

Rating Levels

Green (75-100%): The supplier meets the security requirements. No immediate measures required. Next assessment at the regular interval.

Yellow (50-74%): The supplier partially meets the requirements. There is room for improvement in specific areas. An action plan with deadlines is agreed upon, and implementation is reviewed at the next assessment.

Red (below 50%): The supplier has significant security deficiencies. For Level A suppliers, immediate action is required: either a binding action plan with short deadlines (3-6 months) or evaluation of alternative suppliers. In reassessments, a red result can also lead to termination of the business relationship if no improvement is evident.

Category-Specific Minimum Requirements

In addition to the overall score, it's advisable to define category-specific minimum requirements. A supplier who achieves 70% overall but scores 20% in the "Incident Management" category has a serious problem that gets buried in the overall score.

A sensible minimum rule: no Level A supplier may score below 40% in any single category. If they do, that category is treated as requiring immediate action, regardless of the overall score.

Handling Evasive Answers

In practice, you'll find that some suppliers fill out the questionnaire reluctantly or incompletely. This can have various reasons: time constraints, concern about negative results, or simply a lack of processes that would enable a well-founded answer.

Unanswered questions should be rated at 0 points — this creates an incentive for complete responses. If a supplier fundamentally refuses the questionnaire, that's an informative result in itself. A supplier unwilling to disclose their security measures either has something to hide or doesn't consider information security important. Both are unacceptable for a Level A supplier.

Contractual Clauses You Need

Assessment via questionnaire is the first step. The second and equally important step is the contractual anchoring of security requirements. A questionnaire shows the current state; a contract defines the target state and creates bindingness.

Security Standards and Minimum Requirements

The contractual clause should specify which security standards the supplier must maintain. This can be an ISO 27001 certification, compliance with BSI IT-Grundschutz, or a defined set of minimum measures derived from your security questionnaire.

Sample wording: "The contractor commits to maintaining an appropriate level of information security that at minimum corresponds to the security requirements defined in Annex X. The contractor shall inform the client immediately if they can no longer meet these requirements."

Audit Right

You need the contractual right to verify the supplier's security measures. This doesn't have to mean you personally audit on-site every year. It's sufficient if you have the right to regularly submit the security questionnaire, request current certifications and audit reports, and conduct or commission an on-site audit in cases of justified suspicion (e.g., after a security incident).

Sample wording: "The client is entitled to verify compliance with the agreed security requirements. The contractor shall provide relevant documentation, certifications, and audit reports upon request. In cases of justified suspicion of security deficiencies, the client is entitled to conduct on-site audits or have them conducted by qualified third parties."

Incident Reporting Obligation

The supplier must inform you immediately when a security incident occurs that could affect your data or systems. The deadline should be concretely defined — not just "immediately" but, for example, "within 24 hours of becoming aware of the incident." This deadline aligns with the NIS2 initial reporting deadline and gives you enough time to meet your own reporting obligations.

The contract should also specify what information the report must contain: nature of the incident, affected systems and data, measures already taken, and a contact person for further coordination.

Subcontractors

Many IT service providers use subcontractors themselves. Your cloud vendor hosts at a data center operator, your MSP employs freelancers, your software vendor uses third-party libraries. The contractual clause must stipulate that subcontractors are subject to the same security requirements, that you are informed about the use of subcontractors, and that you have the right to object to new subcontractors.

Liability and Contractual Penalties

For Level A suppliers, the contract should include a liability clause for security incidents attributable to violations of the agreed security requirements. This doesn't need to be a draconian contractual penalty, but it should be clear that security deficiencies have consequences. In practice, the mere contractual stipulation has a motivating effect on the supplier.

End-of-Contract Provisions

What happens to your data when the contract ends? The clause should stipulate that all data is returned in a standardized format, that the supplier securely deletes all copies after return and provides deletion evidence, and that defined deadlines and support obligations apply for the transition period.

Regular Review: Not a One-Shot

The initial assessment is just the beginning. Security is not a static state, and what looks good today can be very different in a year. A supplier can change personnel, alter processes, lose certifications, or themselves become a victim of an attack.

Frequency

Level A suppliers are assessed annually. Level B suppliers every two years. Additionally, there are ad-hoc assessments for security incidents at the supplier, significant changes in the scope of services, newly discovered vulnerabilities in the supplier's products, and changes in the supplier's ownership structure (acquisitions, mergers).

What Changes Between Assessments

Between formal assessments, you should maintain lightweight monitoring. This includes monitoring the supplier's public security announcements, checking whether certifications have been renewed, and evaluating security incidents noticed during the collaboration (e.g., expired certificates, unpatched vulnerabilities).

Documentation in the ISMS

All assessments, results, action plans, and evidence should be centrally documented. ISMS Lite helps you anchor supplier assessment in your ISMS: with the relevant controls for supply chain security, a structured assessment process, and reminders for upcoming reviews. A supplier register containing the criticality level, last assessment date, score, open measures, and next assessment date for each supplier is the minimum.

Handling Poor Results

Not every supplier will pass the questionnaire with top marks. That's normal and no reason for immediate panic. What matters is how you handle the results.

Stage 1: Conversation and Action Plan

For a yellow result (50-74%) or a red result in individual categories, conduct a conversation with the supplier. Explain what deficiencies you identified, why they're relevant to you, and what you expect. Agree on a concrete action plan with deadlines. Document the conversation and the plan.

In most cases, suppliers are cooperative when they understand that the requirements aren't arbitrary but stem from legal obligations (NIS2, GDPR) and your own ISMS. Many suppliers, especially smaller IT service providers, haven't yet systematically addressed the topic themselves and are grateful for the impetus.

Stage 2: Compensating Controls

If the supplier cannot meet all requirements in the short term but the business relationship should continue, define compensating controls on your side. These can include enhanced monitoring of the supplier's access, restricting permissions to the absolute minimum, additional encryption of data the supplier processes, or shorter review intervals (quarterly instead of annually).

These compensating controls are documented in the ISMS as risk treatment: the risk is identified (supplier doesn't fully meet requirements), the compensating controls reduce the risk to an acceptable level, and the risk acceptance is approved by the responsible authority.

Stage 3: Escalation and Supplier Change

For a red overall result below 50% for a Level A supplier, especially when no willingness to improve is evident, you must escalate. This means: involving executive management, formal notification to the supplier that the business relationship is at risk, and parallel search for alternative suppliers.

A supplier change is complex and expensive, which is why it should always be the last resort. But a supplier that doesn't meet basic security requirements and shows no willingness to improve is a risk you can't carry permanently — especially under NIS2.

Pragmatic Start: How to Begin

If you haven't conducted systematic supplier assessments before, the effort can seem daunting. A pragmatic entry plan helps you set up the topic in three months.

Month 1: Inventory and classification. Create a list of all suppliers with IT relevance. Classify them according to the three criticality levels. Identify the five to ten most important Level A suppliers.

Month 2: Questionnaire and initial assessment. Adapt the questionnaire to your company (not every question is equally relevant for every industry). Send it to Level A suppliers with a four-week deadline. Evaluate the results and create an assessment for each supplier.

Month 3: Measures and contracts. Conduct conversations with suppliers who received yellow or red results. Agree on action plans. Review existing contracts for security clauses and supplement missing provisions at the next contract renewal.

From there, the process runs in regular operations: annual reassessment of Level A suppliers, biennial reassessment of Level B suppliers, ad-hoc assessments for incidents.

Common Objections and How to Address Them

"Our supplier is ISO 27001 certified — that should be enough." A certification is a good indicator but not a substitute for your own assessment. The certification confirms that the supplier operates an ISMS but says nothing about the scope (does the certification cover the area processing your data?), specific measures, or the quality of implementation. Additionally, the certification may have expired without your knowledge.

"Our supplier is much larger than us — they won't let us dictate terms." You indeed won't be able to assess major vendors like Microsoft, AWS, or SAP with an individual questionnaire. Here, you rely on published compliance reports (SOC 2 Type II, ISO 27001, BSI C5) and assess based on these documents. You use the questionnaire with suppliers where you actually have an eye-level business relationship — typically mid-market IT service providers and specialized software vendors.

"The effort is disproportionate to the benefit." The effort can be significantly reduced through automation. A digitized questionnaire that's sent annually and automatically evaluated costs little ongoing effort after the initial setup. And the benefit becomes apparent at the latest when a supplier actually gets hacked and you need to demonstrate that you fulfilled your duty of care.

Supplier assessment is not bureaucratic busywork — it's a protective mechanism that helps you identify risks in your supply chain early. In a world where supply chain attacks are among the most effective attack vectors, this isn't optional — it's mandatory.

Further Reading

• Supply Chain Attacks: How to Secure Your Supply Chain
• Reviewing DPAs and Assessing Service Providers: What to Look For
• NIS2 for IT Service Providers and MSPs: What Changes
• NIS2 for Mid-Market Companies: What You Need to Know and What to Do Now
• Building an ISMS: The Complete Guide for Companies with 50 to 500 Employees