Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Lightweight Supplier Due Diligence Questionnaire

            Created by Peter Bassill, Modified on Thu, 20 Mar at 6:31 PM by Peter Bassill

            Here is a modernised lightweight supplier due diligence questionnaire based on the uploaded version, incorporating updates for GDPR, DORA (Digital Operational Resilience Act), and other relevant cybersecurity and data protection standards. This questionnaire is designed for low-risk suppliers who do not have access to internal systems or confidential data but still require a basic level of security assurance.

            Download a excel version

            Section 1: Supplier Information

            1. Supplier Name:

            2. Company Registration Number:

            3. Country of Registration:

            4. Primary Business Contact:

              • Name:

              • Email:

              • Phone Number:

            5. Website URL:

            6. Brief Description of Services Provided:

            7. Does the supplier use subcontractors for any services? (Yes/No)

              • If yes, please provide details.

            Section 2: Information Security Policies & Governance

            1. Does the organisation have a formal, documented information security policy? (Yes/No)

              • If yes, please provide a summary or attach relevant documentation.

            2. Is there a dedicated person responsible for security oversight (e.g., CISO, Security Manager)? (Yes/No)

              • If yes, please provide their name and role.

            3. Has the organisation implemented a cybersecurity framework such as ISO 27001, NIST, or Cyber Essentials? (Yes/No)

            • If yes, please specify which framework and provide certification details.

            Section 3: Data Protection & Privacy Compliance

            1. Does the organisation process, store, or transmit any personal data? (Yes/No)

            • If yes, please specify the type of data processed.

            1. Is the organisation compliant with GDPR or any other applicable data protection regulations? (Yes/No)

            • If yes, please provide details of compliance measures.

            1. Does the organisation have a Data Protection Officer (DPO) or equivalent role? (Yes/No)

            2. Are employees trained on data protection and privacy regulations? (Yes/No)

            3. Are data retention and disposal policies in place? (Yes/No)

            • If yes, please provide a brief overview.

            Section 4: Personnel Security

            1. Are background checks performed on employees with access to sensitive information? (Yes/No)

            2. Do employees receive cybersecurity awareness training? (Yes/No)

            3. Do employees sign confidentiality agreements or non-disclosure agreements (NDAs)? (Yes/No)

            Section 5: Physical Security

            1. Does the organisation operate from a secure physical location with access controls? (Yes/No)

            2. Are visitors required to sign in and be escorted in restricted areas? (Yes/No)

            Section 6: IT Security Controls

            1. Does the organisation enforce password policies, including multi-factor authentication (MFA)? (Yes/No)

            2. Are all company devices protected by antivirus software and regularly updated? (Yes/No)

            3. Does the organisation maintain up-to-date software and security patches? (Yes/No)

            4. Are cloud-based services used, and if so, which provider(s) (e.g., AWS, Azure, Google Cloud)?

            5. Does the organisation conduct security monitoring and logging of system access? (Yes/No)

            Section 7: Incident Management & Business Resilience

            1. Does the organisation have an incident response plan in place? (Yes/No)

            2. Has the organisation experienced any data breaches or cybersecurity incidents in the last 12 months? (Yes/No)

            • If yes, please provide a brief summary of the incident and resolution steps taken.

            1. Does the organisation have a business continuity and disaster recovery plan? (Yes/No)

            2. Are data backups performed and tested regularly? (Yes/No)

            Section 8: Compliance with DORA (Digital Operational Resilience Act)

            1. For financial services providers or suppliers operating within the EU, are you compliant with DORA’s ICT security risk management requirements? (Yes/No)

            • If yes, please provide an overview of key security controls implemented.

            1. Do you conduct regular risk assessments to evaluate digital resilience? (Yes/No)

            2. Do you have a mechanism to report major cyber incidents to regulators or affected clients? (Yes/No)

            Section 9: Third-Party Dependencies

            1. Do you conduct due diligence on your own suppliers and subcontractors? (Yes/No)

            2. Do you have contractual agreements in place to ensure your suppliers adhere to security best practices? (Yes/No)

            Certification & Attestation

            By completing this questionnaire, the supplier confirms that the information provided is accurate to the best of their knowledge.

            Name:
            Position:
            Date:

            Conclusion

            This questionnaire is designed to provide a baseline security assessment for low-risk suppliers. Responses should be reviewed alongside any publicly available cybersecurity policies and independent verification where necessary.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0