What is a security questionnaire and what is its role in TPRM?

A security questionnaire is a standardized set of security questions used to assess vendor controls and risk levels. In TPRM, it provides a consistent way to collect information about a vendor’s security posture—covering areas like access controls, data handling, encryption, incident response, third-party subprocessor management, and business continuity—so you can compare vendors, gauge residual risk, and decide on onboarding, contract terms, or additional mitigations. The answers help determine the level of due diligence needed and guide ongoing monitoring and re-assessments. It’s not a formal contract outlining obligations, not a data retention schedule, and not a compliance report for audits; rather, it’s a tool to gather verifiable security details (often with evidence) that informs risk-based decisions and ongoing assurance.