Third party risk assessment questionnaire template

Review suppliers, SaaS vendors, subprocessors, AI tools, data processors, and critical third parties with evidence requests, risk scoring, red flags, and approval decisions.

Copy questionnaire Open vendor risk template Review AI vendors

Review outputSupplier risk decision

✓Data access classified

✓Evidence requested

✓Risk tier assigned

✓Mitigation owner set

Direct answer

Use this as the supplier questionnaire layer before assigning risk tier or approval status.

What it isA third party risk assessment questionnaire collects supplier evidence, scores risk, and records whether the vendor can be approved, mitigated, restricted, or rejected.

Who should use itUse it for SaaS vendors, AI tools, subprocessors, consultants, service providers, data processors, critical suppliers, and tools that connect to customer or internal systems.

Minimum outputEvery review should produce risk tier, data access, criticality, evidence links, open gaps, mitigation owner, approval decision, and next review date.

Questionnaire, acceptable answers, evidence, and red flags

Copy these rows into a procurement intake, vendor review, supplier risk assessment, or customer evidence workflow.

Area	Question	Acceptable answer	Evidence to request	Red flag
Business context	What service does the third party provide, who owns it internally, and which workflow depends on it?	Clear business owner, use case, renewal owner, approval path, and fallback or exit notes for critical vendors.	Procurement intake, business owner statement, contract owner, service description.	No named internal owner or unclear reason the vendor is needed.
Data access	What customer, employee, confidential, regulated, or credential data can the third party access?	Data categories, systems, environments, access mode, storage location, retention period, and deletion path are documented.	DPA, data inventory, data-flow diagram, retention/deletion documentation.	Vendor says data is secure but cannot state what data is processed.
Security controls	How does the third party manage access, encryption, vulnerabilities, backups, logging, and incident response?	Controls are current, scoped to the product under review, and supported by customer-safe evidence.	SOC 2, ISO 27001, CAIQ, SIG, security policy, pentest summary, access control policy.	Evidence is stale, out of scope, marketing-only, or not tied to the reviewed service.
Privacy and subprocessors	Which subprocessors or fourth parties can process data, and how are privacy obligations handled?	Subprocessors, regions, purposes, notification process, DPA status, retention, deletion, and privacy review are documented.	DPA, subprocessor list, privacy policy, region statement, DPIA or privacy assessment.	Vendor cannot name subprocessors or refuses to explain data location.
AI and automation	Does the third party use AI, model providers, agents, automated decisions, MCP servers, or broad integrations?	AI data use, training position, retention, model providers, OAuth scopes, tool permissions, human review, and audit logs are documented.	AI vendor assessment, model provider terms, OAuth scope sheet, MCP checklist, audit log sample.	AI features are enabled by default with no customer control, evidence, or review path.
Risk decision	What is the final risk tier, what gaps remain, and who accepts or mitigates the risk?	Decision includes tier, rationale, required mitigations, exception owner, review date, and customer-impact notes.	Risk register row, approval record, mitigation ticket, exception note.	Approval is granted without explaining open gaps or ownership.

Risk score bands

Use scoring to decide review depth, not to hide judgment.

0-4: LowApprove with standard evidence record and annual review.

5-8: MediumRequest core evidence and close obvious gaps before broad use.

9-13: HighRequire security/privacy/business approval and mitigation tracking.

14+: CriticalEscalate to formal risk acceptance or block until material gaps are closed.

Map evidence Ask vendor questions Review privacy risk

FAQ

Short answers for supplier due diligence and third party risk reviews.

What is the difference between third party risk assessment and vendor risk assessment?

They are often used interchangeably. Third party risk is broader and can include suppliers, service providers, subprocessors, consultants, AI vendors, and any external party that creates operational, security, privacy, or compliance risk.

What evidence should a third party risk questionnaire request?

Request SOC 2 or ISO evidence, access controls, encryption scope, incident response, subprocessor list, DPA, data retention, deletion, vulnerability management, AI data-use terms, OAuth scopes, and audit logs when relevant.

How do you score third party risk?

Score data sensitivity, business criticality, access level, compliance exposure, AI or automation use, and evidence quality. The score should drive approval depth and review cadence.

When should AI vendor questions be included?

Include AI questions when the third party processes prompts, outputs, embeddings, customer data, connects to internal systems, calls tools, or uses model providers behind the product.

Need a shortlist for your workflow?

Send the formats you receive, your current answer-library setup, and whether you need portal support. We will use those signals to prioritize the next comparison updates.

Request a shortlist