Choose your topics

What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Third-Party Risk Management, GRC

TPRM Blog 12- Testing your Third Party Questionnaire

TPRM Blog 12- Testing your Third Party Questionnaire
Written by

Alex Hollis

Published on

30 Oct 2019

TPRM Blog 12- Testing your Third Party Questionnaire


Blog Series Introduction

In this Third Party Risk Management blog series, Alex Hollis will guide you through developing effective information gathering for third parties using five key steps to the formulation of a third party questionnaire. The webinar is available on-demand via BrightTALK here.

There are five key steps to the formulation of a third party questionnaire:

  • Requirements – establishing the needs of the organization both in terms of the risks that need to be managed and the compliance needs from regulation and any stakeholder commitments.
  • Research – obtaining an understanding of the types of information needed to satisfy the requirements and prioritizing the needs among the various types of third parties the organization has.
  • Planning – consideration for the method, structure, and number of assessments (this can also include non-questionnaire approaches such as audits and interviews)
  • Writing questions – Formulating the actual questions themselves and the method of response.
  • Testing – Obtaining validation and identifying any areas of improvement.

In the twelfth installment of the blog series, we will explore the steps that should be taken to test your questionnaire before you run your third-party assessment.


The final stage before running a third party assessment is testing the assessment. Not unlike planning it is not uncommon for organizations to skip this step.

Testing can be run internally with colleagues or with close partners. You can either sit with your tester and go through question by question, or you can have them complete the assessment and then review.

The questions that you should be asking are

  • Comprehension / Interpretation – What does the term X mean to you here?
  • Paraphrasing – Can you repeat this question in your own words?
  • Confidence judgment – Check any questions which are asking for judgment, if there are any estimations this is where they can be tested for accuracy.
  • Recall probe – Check any recalls are accurate.
  • General probe – How did you arrive at that answer? Was it easy or hard? I noticed that you hesitated why was that?


This paper has explored each of the five stages for creating third-party assessment questionnaires. Much of the focus has been around managing assessment fatigue of the respondent, to maintain a high quality of the answers returned.

To view the previous blogs in the series click here.