Practice vendor risk management vocabulary: security questionnaires, SOC 2 certification, ISO 27001, annual assessments, and risk tiering.
0 / 5 completed
1 / 5
Your procurement process requires 'the vendor to complete a 150-question security questionnaire.' What is the purpose of this questionnaire?
A vendor security questionnaire (VSQ) is a due diligence tool — it asks detailed questions about the vendor's security program: access controls, encryption, incident response, data handling, and certifications. The answers help assess whether the vendor meets your security standards before engagement.
2 / 5
A vendor says 'We are SOC 2 Type II certified.' What does SOC 2 Type II mean?
SOC 2 Type II is a rigorous third-party audit (by a licensed CPA firm) that evaluates a vendor's security, availability, processing integrity, confidentiality, and privacy controls over a defined period (typically 6-12 months). Type II proves controls work consistently — not just at a point in time.
3 / 5
A vendor assessment notes 'The vendor holds ISO 27001.' What does this certification demonstrate?
ISO 27001 certifies that a vendor has implemented a documented, systematic approach to managing information security risks (an ISMS). It covers risk assessment, security policies, physical and technical controls, and continuous improvement — providing assurance about the vendor's overall security posture.
4 / 5
Your vendor management policy says 'The vendor assessment is annual.' Why is annual reassessment important?
Vendor risk is dynamic — a vendor that was secure 18 months ago may have experienced a breach, changed their security team, or added new subprocessors. Annual reassessment ensures your organization maintains current risk awareness and can respond to changes in vendor posture.
5 / 5
Your vendor risk register 'rates vendors as critical/high/medium/low.' What factors typically determine a vendor's risk tier?
Vendor risk tiering considers: what data is shared (PII, financial data = higher risk), how deeply integrated the vendor is (single sign-on, production access = higher risk), what happens if the vendor fails (critical path vs. nice-to-have), and the vendor's demonstrated security posture.