It’s the start of a new year and a great time to check what controls you look for from vendors and third parties when conducting an assessment.

Most companies rely on a mix of questions on a security questionnaire, third party attestation documents and ad-hoc methods to gather the data to determine a vendor’s control environment. With that said, it will answer your question of “What security questions should be included on my vendor security questionnaire?”

Many organizations create a list of controls that roughly corresponds to their own internal framework. However, depending on the vendor, this is sometimes difficult to map. The SCF from Secure Controls Framework Council is a great resource to check for controls in your specific industry or by a framework that you want to align your security organization with.

For instance, you can see controls that align to HIPAA, NERC CIP, GLBA, SOX, FFIEC, NIST and AICPA TSC as an example of the frameworks that are covered. Every common framework and many less common ones are covered in the SCF.

A great benefit to the Information Security community is that the SCF is kept completely free. It is funded through donations and vendor sponsorships.