TL;DR
- Tier vendors by data sensitivity and system access before deciding how deep a review to run, not every vendor needs a 300-question SIG.
- Pull a current SOC 2 Type II or ISO 27001 report, subprocessor list, and data flow diagram before you send a single questionnaire question.
- Use a standard framework (SIG Lite, SIG Core, or CAIQ v4) instead of a custom form whenever the vendor already has one on file, it cuts review time for both sides.
- Build the contract terms (breach notification window, right-to-audit, subprocessor change notice) into the same checklist as the technical review, security and legal move in parallel, not in sequence.
- Vendors that can answer fast, with cited sources instead of guesses, clear the checklist in days instead of weeks. That's the gap Wolfia is built to close on the vendor side.
Why procurement teams need a written checklist
A written checklist keeps a vendor review from becoming a judgment call made under deal pressure. Without one, the depth of review tends to track how badly sales wants the deal closed, not how much risk the vendor actually introduces. A checklist fixes the review depth to the vendor's risk tier before anyone is negotiating a close date.
It also gives legal, security, and procurement a shared record. When an auditor or a customer later asks "how did you vet this vendor," the answer should be a completed checklist with dated evidence, not a Slack thread.
How do you tier vendors for a security assessment?
Tier by data sensitivity and system access, not contract size. A vendor touching regulated customer data or production infrastructure needs a full SIG or CAIQ review, while a vendor with no data access and no system integration can clear a short-form checklist.
A simple three-tier model works for most procurement teams:
- Tier 1, critical: handles regulated data (PHI, PCI, or customer PII), has production system access, or is a single point of failure for a core process. Full SIG Core or CAIQ v4 review, SOC 2 Type II required, annual re-assessment.
- Tier 2, moderate: handles internal or aggregate data, no production access. SIG Lite or a shortened custom questionnaire, SOC 2 Type I or II accepted, re-assessment every 18-24 months.
- Tier 3, low: no data access, no system integration (an office supply vendor, a conference sponsorship). Self-attestation form only, no annual re-review required.
Tiering upfront is the single biggest time saver in the entire process. Sending a 261-question CAIQ to a vendor that only receives your marketing team's email list wastes days for everyone. If you want the full question set to draw from when a vendor does land in Tier 1, our mapping of all 261 CAIQ v4 questions by domain breaks out which sections actually apply to which risk areas.
The checklist: 10 steps before you send
- Confirm the vendor tier. Data sensitivity and system access decide the review depth, set this before anyone drafts a question.
- Request the current compliance report. SOC 2 Type II, ISO 27001, or equivalent, dated within the last 12 months. A report older than that is a flag, not a pass.
- Get the subprocessor list. Every downstream vendor that touches your data needs to be on it, with their own compliance posture spot-checked for Tier 1 vendors.
- Request a data flow diagram. Where does your data enter, where is it stored, where does it leave. If the vendor can't produce one, that's itself a signal about their internal documentation maturity.
- Pick the questionnaire format. SIG Lite for Tier 2, SIG Core or CAIQ v4 for Tier 1. Only build a custom form when the standard frameworks genuinely miss something specific to your industry.
- Set the response deadline and escalation path. Two weeks is standard for Tier 1, one week for Tier 2. Name who follows up if the vendor goes quiet.
- Check encryption and access control specifics. Encryption at rest and in transit (AES-256, TLS 1.2+), MFA on privileged accounts, logging and retention periods.
- Review incident response and breach notification terms. Get the notification window in writing (24, 48, or 72 hours) before you sign, not after an incident forces the conversation.
- Confirm subprocessor and data location change notice. Require advance notice, not after-the-fact disclosure, if the vendor adds a new subprocessor or moves data to a new region.
- Score the responses and route exceptions. Any answer that doesn't meet your baseline goes to a named reviewer for a risk-accept or a remediation deadline, not into a spreadsheet nobody revisits.
Can a trust center replace a questionnaire?
For an initial screen, often yes. A trust center that publishes a current SOC 2 report, subprocessor list, and pen test summary can answer most Tier 2 and Tier 3 questions without a formal questionnaire round trip. For Tier 1 vendors, most procurement teams still want the vendor's specific, dated answers on record for the deal, since a trust center's general disclosures don't always map cleanly onto a specific contract's requirements.
The practical pattern we see: use the trust center to pre-qualify and cut the question count, then send a shorter, targeted questionnaire for anything the trust center doesn't answer directly. If a vendor pushes back and points you only to a static trust center page when you need contract-specific answers, our guide on what to do when a buyer rejects your trust center for a custom questionnaire covers how that back-and-forth usually resolves.
What should the evidence request actually include
Beyond the compliance report itself, ask for:
- Penetration test summary from the last 12 months, with remediation status on any critical or high findings.
- Access control policy, specifically how privileged access is provisioned and revoked.
- Business continuity and disaster recovery plan, with a stated RTO and RPO.
- Employee security training cadence, at minimum annual, with completion tracking.
- Cyber insurance coverage, with the policy limit, since it's the fallback if a control genuinely fails.
NIST's SP 800-161r1 guidance on cybersecurity supply chain risk management frames this the same way: the goal isn't a yes/no on each control, it's building a documented, risk-based picture of the vendor's practices that you can act on later. Treat the evidence request as building that picture, not as a box-checking exercise.
Standard framework or custom form?
Default to a standard framework. The Shared Assessments SIG questionnaire and the Cloud Security Alliance's CAIQ v4 exist specifically so vendors don't have to rebuild their answer set for every customer, and so your team isn't drafting new questions from scratch each cycle. A custom form should only cover what's genuinely specific to your industry or contract, HIPAA-specific questions for a healthcare buyer, CMMC-specific questions for a defense contractor, and so on.
Building a custom form from scratch also means your team owns maintaining it as frameworks update and new threats emerge. That's real ongoing work most procurement teams underestimate. If you're inheriting a legacy custom questionnaire and considering a switch to a standard framework, our SIG questionnaire walkthrough covers what the standard sections cover and where a custom addendum still makes sense.
Where this fits into broader third-party risk management
A single vendor checklist is one input into a broader third-party risk management program, which also covers ongoing monitoring, contract renewal triggers, and a documented offboarding process when a vendor relationship ends. If you're building or refreshing that broader program rather than a single vendor review, our third-party risk management guide covers the full lifecycle, not just the intake checklist.
Positioning: the checklist runs faster when the vendor answers fast
Wolfia is built for security and GRC teams handling this exact workflow, on the vendor side of the table. Most of the time in a vendor security review isn't spent by the buyer's procurement team, it's spent waiting on the vendor to produce answers and evidence. A vendor that can turn around a SIG Core or CAIQ v4 questionnaire in a day instead of three weeks compresses the entire checklist timeline for both sides.
How Wolfia helps vendors clear the checklist
For the vendor receiving the checklist above, Wolfia's Questionnaire Automation reads incoming SIG, CAIQ, or custom forms and drafts answers pulled from a self-maintaining knowledge base, with a source citation attached to every answer so the reviewer on the other side can verify it against the actual policy or control document. The Trust Center gives procurement teams the self-serve option described earlier, a live, gated portal with the current SOC 2 report, subprocessor list, and security overview, so Tier 2 and Tier 3 reviews can often skip the questionnaire step entirely.
For questions that need a second set of eyes before they go out, answers route automatically to a named reviewer instead of sitting in an inbox. The Portal Agent handles submission directly into OneTrust, ServiceNow, and 55+ other vendor risk portals, so the vendor's security team isn't manually re-typing answers into whatever tool the buyer happens to use. And because the knowledge base updates itself as policies change, a vendor answering the same questionnaire six months later isn't working from stale answers.
Final Thoughts
A vendor security assessment checklist works when the review depth matches the vendor's actual risk, when the evidence request is specific enough to verify, and when both sides can turn around answers in days instead of weeks. Tier first, pull real evidence second, and pick a standard framework over a custom form unless you have a concrete reason not to. The teams that get stuck aren't the ones with the strictest checklist, they're the ones without one, deciding review depth deal by deal under whatever pressure that week's pipeline creates.



