A few months ago I received a request from a large retailer. They wanted me to "due-diligence" their new SaaS vendor. Attached to the request was a PDF. The PDF was 47 pages long. The PDF was titled "Information Security Vendor Questionnaire v3.2" and contained 187 questions. The retailer expected me to put these questions to the vendor, that the vendor would write down the answers (in the same PDF, in boxes too small for sensible answers), that I would assess them, and that I would put a signature on page 47 with the words "approved" or "not approved".
The questionnaire that proves nothing but takes three weeks
Premium member benefits
Enjoyed this essay? There are more where it came from.
Members get the complete premium library — templates, runbooks, threat briefings and long-form essays — plus one free premium assessment every month.