The Centauri Step, Governance and IT Security

Which Questionnaire to Use? | The Centauri Step, Governance and IT Security

Which Security Questionnaire to choose?

Marion Mellor

The shortest reviews are always the most effective!

Choosing your weapons

Similarities and differences between a “Security Audit” and a “Security Review”:

  • Both start with a Questionnaire.
  • A security review is less formal, less standardized and allows more freedom with respect to the needs of the business.
  • An audit follows very specific codes and uses a specific nomenclature; however, for the activities of your business, a supplier review should be enough to give you a good idea of the risks you face.
  • You don’t need to perform full audits for every single supplier = 5% of formal audits for the most critical suppliers and 95% of security reviews for all other suppliers.

In any case, absolutely all contracts must undergo a security assessment to avoid holes in the net – as it is precisely such holes that hackers prefer.

Asking the right questions

The ISO 27002 standard includes 114 controls set out in 18 chapters. Although the aim is to ensure your supplier/service provider’s full compliance with this standard, must you ask for details of every control as if you were issuing a certification? It would seem wiser to adopt a “risk-management approach” (see “Security Governance” section, article “The Risk Approach), to be pragmatic and to adapt your questions to each supplier.

This more efficient second option does however require time and a little preparation.

  1. List the main categories of all the services that could be concerned by security: cloud-based SaaS solutions, software, maintenance services, infrastructure, consulting, maintenance contracts for premises, etc.
  2. Decide the level of questionnaire for each service type. Remember, for example, to add specific questions for your cloud-based service providers on their SOC access arrangements (the Security Operations Centre is the command centre for all intrusion detection systems). You can make use of the ISO 27017 standard (one of the standards in the wider ISO 27000 family which specifically addresses cloud-based environments).
  3. Put yourself in the shoes of the supplier who is completing the questionnaire. Is it appropriate to their field of work? Are all of their products and services concerned by the security measures you are asking them about?


MY ADVICE = It is always important to inform your supplier that you need to assess their level of IT security maturity, and that the questions therefore concern their entire organization, and not merely the product or service mentioned in the contract in question.

This security review shall be valid for one to three years depending on the criticality of the service or project. Reassure your supplier that you won’t make them answer 75 questions every year

Reassure your supplier that they won’t have to answer 75 questions from you every year. In fact, I recommend limiting your questionnaire to 25 relevant questions that you can complete through one or two conversations with the supplier.

ANOTHER PIECE OF ADVICE: In conclusion, shorter questionnaires are more pertinent … but why? Because 10 key controls are sufficient for every security review. If your assessor is relatively experienced at this task, they will be able to focus on a few pieces of evidence that confirm compliance with several chapters of your security standard.


Obtaining solid proof: ask, verify, challenge, approve!

Can you take a supplier’s word for it on security? No. Because measures that they “say” they have taken are not necessarily in place across all of the business.

For example: The CEO of a company assures you that he has segregated access to prevent any employee from being able to delete data or activity logs. But how can you verify this practice? How can you ensure that the persons in charge of information systems have properly understood the practice and that it is constantly controlled?

TO SAVE TIME: If a supplier refuses to send documents, screenshots, extracts of confidentiality clauses in employment contracts, don’t worry! You can arrange a video conference and check the evidence online. Take screenshots yourself during the meeting, or certify in your report that you have verified the existence of this evidence.