Choose your topics

What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Third-Party Risk Management, GRC

Third-Party Risk Management Blog 5 – Planning an Effective and Easy-to-Follow Third-Party Questionnaire

Third-Party Risk Management Blog 5 – Planning an Effective and Easy-to-Follow Third-Party Questionnaire
Written by

Alex Hollis

Published on

20 Apr 2019

Third-Party Risk Management Blog 5 – Planning an Effective and Easy-to-Follow Third-Party Questionnaire


In this Third-Party Risk Management blog series, SureCloud’s GRC Practice Director Alex Hollis will guide you through developing effective information gathering for third parties using five key steps to formulating a third-party risk management questionnaire. The third-party risk management webinar is available on-demand via BrightTALK.



There are five key steps to the formulation of a third-party questionnaire:


  • Requirements – establishing the needs of the organisation both in terms of the risks that need to be managed, the compliance needs from regulation, and any stakeholder commitments
  • Research – obtaining an understanding of the types of information required to satisfy the requirements and prioritising the needs among the various types of third parties the organisation has
  • Planning – consideration for the method, structure, and number of assessments (this can also include non-questionnaire approaches such as audits and interviews)
  • Writing questions – Formulating the actual questions themselves and the method of response
  • Testing – Obtaining validation and identifying any areas of improvement



The Planning Phase of Your Third-Party Risk Management Questionnaire

In this fifth instalment, Alex moves into the ‘planning’ phase of questionnaires, where you will establish the survey type, organising third-party information collection to help manage assessment fatigue and achieve flow by paying attention to the order and context of the questions.


The next phase is to plan out the questionnaire, and the first thing to consider is the survey method. This post focuses on questionnaire assessments, but there are other survey methods such as audits, face-to-face interviews, and telephone interviews. Additionally, there will not be just one third-party risk assessment over the life of the third-party relationship.


Once we have established the survey type, we can consider satisfying the third-party information needs identified in the requirements and research phase.

We want to ensure that we organise the third-party information collection into logical groups to avoid the respondent having to mentally context switch when answering the questions. This helps better manage third-party risk and the issue of assessment fatigue.


A simple framework for doing this is:



Third-party information needed – The first column is where we decide what needs to be collected. This should concentrate on what we are looking to satisfy.


Category/Topic – The second column ensures the flow of questions is maintained. Similar questions will be held or shown to the third-party respondent together.


We will cover the following three columns in the writing questions phase.


The goal of this is to create an easy-to-follow flow to the questions. The flow must ease the respondent into the questions and ensure the context of the question is well understood.


Start Off Easy

Some cognitive studies have identified the importance of moving from easy to challenging problems when approaching a complex task. It builds the confidence of the individual in completing the task and improves the overall output.

Remember, the respondent of the third-party assessments is a person. Recognise that they may not be the subject matter expert to all of the security and risk controls in the organisation. The first section, and the first question of each section, should use straightforward closed questions to get the respondent started.

Third-party questions about the name of the company and the services being consumed should be straightforward for the respondent to answer.


Make Your Context and Question Order Clear

To achieve flow, pay attention to the order and context of questions.


Consider the question:


Do you allow the sharing of user accounts?


The question is a common one asking about unique user identification. Depending on where the question is placed, it could be a question about the organisation’s information security management policies internally, or it could be asking about a software product feature. Here, the preceding question could change the context.


Another example is:


Do you enter passwords in clear text?


This is asking about the control which obscures or masks passwords when entered and prevents ‘shoulder-surfing,’ where people might look over the shoulder and obtain passwords. Again, the context is not made evident by the question, and, as such, must be inferred by the placement.


Along with errors through misunderstanding, it also requires more mental effort to evaluate; a respondent may need to re-read or look at the surrounding questions to reconfirm the context. This will lead to assessment fatigue more quickly, and those already fatigued will be more susceptible to misunderstandings.


One of the ways to help structure this is when planning assessments start with categories that separate contexts. Keep questions about the product and/or service offered separate from the questions about the company itself.


In TPRM Blog 6…

The next instalment in this third-party risk management series focuses on drafting the questions and the simple techniques you can use to improve the collection of information to help manage the assessment fatigue experienced by the respondent. 


View the previous blogs in the third-party risk management series, or head over to our Vendor Risk Management capability to see what software and services are available to help you streamline your third-party risk assessment processes.