Skip to main content

About the author

Roland Thomas

Associate Director | Corporate Development

Roland is an Associate Director in Thomas Murray’s Corporate Development team. He joined Thomas Murray in 2018 with responsibility for group strategy, partnerships and corporate finance. More recently, Roland’s role has focused on establishing Thomas Murray’s cyber risk business, starting in 2021 with the launch of our Orbit Security platform, and the development of our expert cyber risk consultancy. Roland has a BA in English Language and Literature from Oxford University.

IT Security questionnaires have become a fact of life and a cost of doing business. However, respondents frequently complain that they are manual, poorly structured and poorly worded – wasting a huge amount of time. When done properly, due diligence can improve supplier relations, not just supply chain security. 

In 2023 – with 50% of breaches occurring via trusted third parties – an organisation has to treat third-party risk as an extension of its own security posture. Questionnaires may have become a headache for companies and their suppliers, but they don’t have to be. A well-structured, digitised questionnaire which asks the right questions with clarity and precision is a rare thing, but it is not hard to achieve. 

Whether you’re assessing a contractor for a one-off project or a possible critical third-party (CTP) supplier, here are five fundamental things your questionnaires must not overlook. 

1. People: Training and awareness

Basic mistakes remain the primary source of data breaches. No matter how many horror stories people hear about ransomware and viruses, the urge to ‘click here’ in a dodgy email too often proves irresistible. As social engineering techniques become more advanced thanks to AI, you need to ensure that all of your third parties are accounting for the human factor (and that you are too).

  • Does the third party have regular and mandatory cybersecurity awareness training?
  • Does the training cover phishing awareness and the risks of social engineering?
  • What is the third party’s process for reporting suspicious emails or potential incidents?

2. Data protection and privacy

Interrogating your third parties about their data handling practices will tell you a great deal about how you can expect them to treat your sensitive information. 

Bringing a CTP into your network environment carries added risk if you are in a regulated industry and your CTP is not – you will need to ensure that they meet your own compliance standards and can demonstrate that they do to your stakeholders.

  • How does the third party classify and protect sensitive data?
  • Does it have a recovery plan in place to protect its operational resilience?
  • What is its data retention policy? Apart from falling short of most regulations (e.g. GDPR), data hoarding is an unacceptable security risk.

3. Access control and authentication

On a note related to data protection, examine what measures your third party takes to protect itself in its relationships with its own third parties. This form of so-called ‘fourth-party risk management’ may sound like adding layers of complexity to an already exhaustive process, but is unavoidable and necessary. “Fourth-party risk” doesn’t even begin to capture the scale of the dangers your organisation is exposed to – it’s probably better described as “omni-party risk” – but there are automated tools that can help you to manage it. Ask your third parties:

  • How do they handle their own third-party access and vendor management?
  • What is the offboarding process like when it comes to revoking access privileges?
  • How do they manage user access? Do they use multifactor authentication (MFA)? 

4. Security: Policies and procedures

Admin is not everyone’s favourite task, but it serves a vital role in ensuring business continuity in the event of a cyber incident.

Creating policies and procedures is one thing, but keeping them up to date and having someone in charge of their implementation is another. Your third party may have a dedicated security team, but who has responsibility for enforcing and maintaining its cybersecurity policies and procedures? Does anyone outside the IT security team even know about them (see ‘Training and awareness’)?

  • When were the third party’s policies and procedures last updated?
  • Who has ownership of them?
  • What is the process for responding to security incidents?

5. System and network security

As we’ve touched on, getting a handle on how your third parties deal with their own suppliers is key to understanding the breadth of your own attack surface. In an ideal world, all organisations would be operating on a model of shared responsibility, and continuously maintaining their security postures in an effort to protect each other, as well as themselves.

Until that happy day arrives, you can only control what you can control. You must be able to demonstrate to all of your stakeholders that you are doing everything possible to manage and mitigate risk, as well as prevent data breaches.

To that end, start viewing your third parties as part of your own cyber security posture. This will minimise your own number of attack vectors and improve your security rating.

  • What kind of cyber threat monitoring does the third party do?
  • What is its risk rating?
  • Are its systems and software regularly patched and updated?
  • Does it use encryption for all of its data, in transit and at rest?

Our Solution: Orbit Diligence

Instead of juggling multiple open-source and paid-for tools, Orbit Diligence will automate your IT Security questionnaire building, issuance, communication, and reporting.

Reporting is essential to any IT security team, and speaking senior management’s language is crucial. We help by providing off-the-shelf reports:

Management reporting

Our cyber security ratings present complex information in a way that’s easy for both stakeholders outside your team and senior management to understand, allowing you to communicate clearly and effectively what your security pain points are and what resources you need to address them.

Vendor risk reporting

You will be instantly notified if one of your third parties has its security rating downgraded. We will engage with them at your request to provide free and full access to their own threat intelligence assessment, improving the security of your entire ecosystem.


Orbit Diligence

Orbit Diligence

Automate your DDQ and RFI processes for a wide range of use cases, accessing a library of off-the-shelf questionnaires and risk frameworks.

Learn more

Contact an expert

Robert Smith

Robert Smith

Head of SaaS Sales and Customer Success 

Roland Thomas

Roland Thomas

Associate Director | Cyber Risk