Name three types of due diligence artifacts used in vendor risk assessments.

In vendor risk assessments, you look for evidence that a supplier actually has and maintains effective security controls. The best trio to capture this is security questionnaires, attestations, and certifications. Security questionnaires collect self-reported details about how controls are designed and operated across areas like access, encryption, incident response, and vulnerability management, giving a broad baseline quickly across many vendors. Attestations, such as SOC reports, provide third-party assurance that an independent assessor evaluated the controls and, depending on the type, can show ongoing effectiveness over a period. Certifications, like ISO 27001, demonstrate that the vendor has an internationally recognized information security management system in place and has met a formal standard. Together, these artifacts span self-reported information, independent verification, and formal certification, giving a solid, multi-faceted view of security posture. The other options mix in things that are less about providing standardized security evidence for due diligence, such as internal plans, on‑demand test results, or non-security financial materials.