Security questionnaire

Draft of a security questionnaire for vendor and solution evaluation

Policies and organisation

Describe the company
Where is the company located?
Who is responsible for security?
Do you have a security program in place?
Do you have any security certifications such as ISO27001, HIIPAA, SOC2 or PCI DSS etc?
Do you have a business continuity plan?
Do you perform security awareness training?
Do you perform background checks on employees?

Describe the solution.
Describe the architecture of the solution.
Does the solution contain PII or sensitive information?
Where is the solution hosted?
Is the solution multitenant?
Do you use Google Cloud, Azure, Amazon Web Services, or a similar outsourced data center?
Does the solution support SSO?
How is data at rest protected?
How is data in transport protected?

Do you perform pentests?
Do you perform static security analysis of source code?
Do you have monitoring in place?
Do you apply hardening of systems?
Do you use multi-factor authentication?
Do you have controls in place to protect client systems from malware?
Does your company use firewalls to restrict traffic into and out of your network at strategic points?
Are your client systems configured to log security-relevant events, such as authentication, data access, etc.?
Do you have a process for installing operating system and application updates and security patches?
Do you have a process for backup and recovery?

Where is your worforce located?
Are all facilities used exclusively by your company, or are some shared?
Does the company review the physical and environmental risks and adress them?
Do you have a written policy that lists the physical security requirements for office facilities?