Due Diligence Questionnaire Examples

You've classified your vendors by criticality. Your risk tiering matrix is approved. Now you need questionnaires that actually surface real risks without drowning vendors in irrelevant questions.

The challenge: generic templates either miss critical risks or overwhelm low-risk vendors with unnecessary depth. A SaaS startup processing employee data needs different scrutiny than your cafeteria supplier.

This guide dissects real questionnaire implementations across different vendor types, risk tiers, and regulatory environments. You'll see exactly how organizations structure their assessments, what questions catch actual vulnerabilities, and which approaches scale without sacrificing coverage.

Each example includes the business context, question selection rationale, and actual findings that changed risk ratings. These aren't theoretical frameworks—they're battle-tested approaches from organizations managing hundreds to thousands of vendors.

Critical Infrastructure Vendor: Cloud Service Provider Assessment

Background and Context

A financial services firm needed to assess their primary cloud infrastructure provider after experiencing rapid digital transformation. The vendor handled most production workloads and stored customer financial data across multiple regions.

Risk Profile:

• Tier 1 Critical Vendor
• Access to regulated data (PII, financial records)
• Single point of failure for core operations
• $50M+ annual spend

Questionnaire Structure and Rationale

The assessment used 127 questions across seven domains, each mapped to specific SOC 2 and ISO 27001 controls:

Data Security (35 questions) Sample questions that revealed gaps:

• "Describe your encryption key rotation schedule and provide logs from the last rotation cycle"
• "Which customer data elements can your support staff access without customer authorization?"
• "Provide your data residency controls and cross-border transfer mechanisms"

Operational Resilience (28 questions) Critical questions included:

• "What is your RTO/RPO for each service tier, with SLA performance data from the last 24 months?"
• "Describe failover testing results from your last three disaster recovery exercises"
• "Provide your capacity planning model and current utilization rates"

Key Findings

The deep-dive questionnaire surfaced three critical issues:

1. Encryption gaps: Customer metadata wasn't encrypted at rest in certain legacy systems
2. Support access: Tier 1 support could access production data without customer approval
3. DR testing: Only the majority of services had been included in recent failover tests

Remediation and Continuous Monitoring

Post-assessment actions:

• Vendor committed to metadata encryption within 90 days
• Implemented privileged access management for support teams
• Established quarterly DR testing reviews in vendor governance meetings

Mid-Tier SaaS Vendor: HR Platform Evaluation

Scenario Overview

A technology company evaluated their HR platform vendor processing data for 5,000 employees across 12 countries. The vendor was classified as Tier 2 based on data sensitivity and operational impact.

Risk considerations:

• Employee PII across multiple jurisdictions
• Integration with payroll and benefits systems
• Medium business impact if unavailable

Streamlined Assessment Approach

The 42-question assessment focused on three core areas:

Privacy and Compliance (18 questions) Targeted questions:

• "List all subprocessors with access to employee data and their locations"
• "Describe your GDPR Article 30 records of processing activities"
• "Provide your employee data retention schedule by data type"

Integration Security (12 questions) Key technical validations:

• "Document your API authentication methods and rate limiting controls"
• "Describe how you handle webhook failures and retry logic"
• "Provide penetration testing results for all external APIs"

Discoveries and Risk Adjustments

The assessment revealed:

• Subprocessor in Belarus handling employee photos (GDPR concern)
• API keys stored in plaintext in configuration files
• No automated retention for terminated employee data

These findings elevated the vendor to Tier 1 status, triggering quarterly reviews and additional security requirements.

High-Volume Tier 3: Marketing Tool Assessments

Implementation Challenge

A retail company needed to assess 200+ marketing and sales tools annually, most processing only public or anonymized data.

Automated Screening Solution

Developed a 15-question automated assessment covering:

• Data types processed
• Security certifications held
• Breach history
• Access to company systems
• Financial stability indicators

Triage Logic

Tools automatically escalated to Tier 2 assessment if:

• Processing any customer PII
• Requiring system integration
• Lacking SOC 2 or equivalent
• Breach in last 24 months
• Access to company network

Results

• a large share of vendors cleared through automation
• 20% escalated to Tier 2 review
• 5% required full Tier 1 assessment
• most reduction in assessment time for security team

Edge Case: Fourth-Party Risk Assessment

Complex Scenario

A healthcare system discovered their EMR vendor outsourced critical functions to 15 subcontractors. Standard questionnaires didn't address fourth-party risks adequately.

Specialized Assessment Design

Created supplementary 25-question module:

• Subcontractor risk assessment processes
• Contractual flow-down requirements
• Fourth-party incident notification procedures
• Concentration risk across subcontractors

Critical Finding

Three subcontractors handled the majority of data processing, creating unexpected concentration risk. This led to:

• Mandatory subcontractor diversification requirements
• Direct audit rights for critical fourth parties
• Real-time monitoring of subcontractor changes

Common Questionnaire Pitfalls and Solutions

Problem 1: Compliance Theater Questions

Questions like "Do you have a security policy?" provide no risk insight.

Solution: Replace with evidence-based questions:

• "Provide your password policy and show enforcement through system configurations"
• "Share your last three security awareness training completion rates"

Problem 2: One-Size-Fits-All Templates

Using identical questionnaires regardless of vendor type or risk level.

Solution: Build modular questionnaires:

• Core module (10-15 questions) for all vendors
• Risk-based modules added by tier
• Industry-specific modules (HIPAA, PCI-DSS, etc.)

Problem 3: Point-in-Time Assessment

Annual questionnaires miss continuous changes in vendor environments.

Solution: Implement continuous monitoring triggers:

• Material change notifications
• Automated certificate expiration tracking
• Security rating monitoring for Tier 1 vendors
• Quarterly mini-assessments for critical areas

Frequently Asked Questions

How many questions should a Tier 1 vendor questionnaire contain?

Tier 1 assessments typically include 75-150 questions, depending on data sensitivity and regulatory requirements. Focus on depth over breadth—50 well-crafted questions beat 200 generic ones.

Should we customize questionnaires for each vendor or use standard templates?

Use a hybrid approach: maintain a core question library mapped to your control framework, then build vendor-specific assessments by selecting relevant modules. This ensures consistency while addressing unique risks.

How do we handle vendors who refuse to complete lengthy questionnaires?

For critical vendors, make assessments contractually required. For others, accept security certifications (SOC 2, ISO 27001) in lieu of questionnaires, but require specific attestations for gaps.

What's the best way to validate questionnaire responses?

Require evidence for critical controls: screenshots, policies, audit reports, or configuration files. For Tier 1 vendors, follow up with technical validation calls or on-site assessments.

How often should we update our questionnaire library?

Review questions quarterly for relevance. Add new questions when incidents reveal gaps, regulations change, or new attack vectors emerge. Remove questions that consistently provide no risk insight.

Can AI help analyze questionnaire responses?

AI tools can flag inconsistencies, identify missing responses, and compare answers against known benchmarks. However, human review remains essential for interpreting nuanced responses and technical evidence.

How do we scale assessments for hundreds of vendors?

Implement risk-based automation: auto-approve Tier 3 vendors meeting certain criteria, use branching logic to skip irrelevant sections, and leverage security rating services for initial screening.